Matrix Push C2
Matrix Push C2 is a browser-native, fileless command-and-control platform used in phishing, social engineering, and malware delivery campaigns. It abuses legitimate web push notification functionality after victims are tricked into granting notification permissions on malicious or compromised websites. Once enabled, operators can send fake alerts that impersonate operating system, browser, or trusted brand notifications, including lures themed as Netflix, PayPal, Cloudflare, TikTok, and MetaMask. Clicking the notifications can redirect victims to phishing pages, credential-harvesting sites, or malicious links, and reporting indicates the platform can also be used to facilitate malware delivery and account takeover activity.
The platform has been described by researchers, including BlackFog, as a criminal service and malware-as-a-service offering. Reported capabilities include a web-based dashboard for sending notifications, tracking victims in real time, creating shortened links, configurable phishing templates, analytics, and recording installed browser extensions, including cryptocurrency wallets. It is cross-platform and can affect desktop and mobile users through any browser application subscribed to the malicious notifications. The platform has been characterized as using browser notifications as a command-and-control channel and enabling real-time monitoring of victims.
Supporting reporting states Matrix Push C2 was first observed in October 2025 and is sold via Telegram and cybercrime forums under a tiered subscription model with cryptocurrency payments. It has been associated with phishing, malicious link distribution, credential theft, possible installation of persistent malware, exfiltration of sensitive data, and scanning for cryptocurrency wallets. It has also been referenced as part of the broader fake CAPTCHA / ClickFix-style ecosystem, where browser-native frameworks are used as hand-off mechanisms in social engineering-driven attack chains.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Browser-native, fileless C2/phishing framework abusing push notifications, fake alerts, and redirects for cross-platform targeting.
A browser-native command-and-control framework referenced as part of fake CAPTCHA delivery chains for handing off execution.
Browser-native, fileless C2 framework that abuses push notifications and fake alerts to deliver social engineering attacks, redirect users to malicious sites, and monitor infected clients.
Matrix Push C2 is a browser-native, fileless command-and-control (C2) framework that leverages web push notifications, fake alerts, and link redirects to deliver social engineering attacks. It turns web browsers into attack delivery vehicles, tricking users into installing malware, visiting credential-harvesting sites, and scanning for cryptocurrency wallets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.