A cybersecurity campaign identified as Matrix Push C2 is actively using browser push notifications as a vector to deliver phishing attacks and malicious software. This technique subverts a common web feature, turning it into a command-and-control (C2) channel for threat actors to engage with compromised systems and users.

The attack begins when users are lured to a malicious website through social engineering, advertisements, or redirects. These sites then display a prompt asking the user to “Allow” notifications. Once permission is granted, the threat actors gain a persistent communication channel to the user’s browser, bypassing traditional email filters and security gateways.

How the Matrix Push C2 Attack Works

The core of the Matrix Push C2 operation relies on the Web Push API, a standard feature in modern browsers like Chrome, Firefox, and Edge. After a user subscribes to notifications from a threat actor-controlled site, the attackers can send messages directly to the user’s device. These messages appear as native system alerts, often mimicking legitimate notifications from services like antivirus software, system updates, or email providers.

The content of these notifications is crafted to create a sense of urgency. For example, a notification might falsely claim that the user’s system is infected or that their account credentials have expired. When the user clicks on the deceptive alert, they are redirected to a malicious destination. This method allows attackers to repeatedly target users long after they have left the initial malicious website.

Observed Payloads and Threats

The Matrix Push C2 campaign has been observed delivering two primary types of threats. The first is phishing, where the notification’s link directs the user to a credential harvesting page. These pages are designed to look identical to legitimate login portals for email services, social media platforms, or financial institutions, with the goal of stealing usernames and passwords.

The second threat is direct malware delivery. Clicking the notification can initiate an automatic download of a malicious file. The payloads delivered through this vector include information stealers, which collect sensitive data from the infected computer, and remote access trojans (RATs), which give the attacker control over the victim’s machine. By leveraging the trusted interface of browser notifications, attackers increase the likelihood of a successful infection.