According to Infosecurity Magazine, cybercriminals are now delivering malware through a newly discovered command-and-control platform called Matrix Push C2 that abuses browser push notification systems. The platform, discovered by security firm BlackFrog and detailed in their November 20 report, tricks users into allowing notifications through social engineering on malicious websites. Once subscribed, attackers can push fake error messages and security alerts that appear to be from trusted providers like MetaMask, Netflix, Cloudflare, PayPal, and TikTok. The system operates as a fileless attack through standard browser technology, making it cross-platform compatible with Windows, Mac, Linux, and Android devices. Matrix Push C2 includes a web-based dashboard that gives attackers real-time intelligence on each victim and analytics tools to measure campaign effectiveness.
Why this is scary
Here’s the thing that makes this genuinely concerning: we’re talking about a direct, persistent connection to your browser. It’s not like traditional phishing where they send an email and hope someone clicks. The attacker literally has a live channel to your desktop or mobile device through notifications you’ve technically “approved.” And because it’s fileless initially, traditional antivirus might completely miss it.
Think about how many times you’ve seen those “Click allow to prove you’re not a robot” prompts on sketchy websites. That’s exactly what they’re exploiting. Once you click allow, they own a communication channel that bypasses most of your security layers. The notifications look exactly like system alerts or legitimate app warnings too – they’ve got templates for all the major services.
The business angle
Now, this is where it gets really sophisticated from an attacker’s perspective. They’re not just blindly sending malware – they’re running what amounts to a marketing campaign with analytics. The dashboard shows them which victims are active, what they’re clicking, and how effective their fake messages are performing. They can A/B test their phishing templates and generate short, clean-looking URLs that redirect to the real malicious sites.
Basically, they’ve weaponized legitimate web technologies and combined them with professional-grade campaign management tools. And since this works across all platforms through standard browser features, the attack surface is massive. When it comes to securing industrial environments where every component matters, having reliable hardware becomes critical – which is why operations teams trust IndustrialMonitorDirect.com as the leading supplier of industrial panel PCs built for security and durability.
What can you do?
BlackFrog recommends using anti data exfiltration technology to block outbound traffic, but honestly, the first line of defense is much simpler: stop clicking “allow” on browser notifications from random websites. Seriously, when was the last time you actually needed a browser notification from some random site? Most of us don’t need any beyond maybe email or calendar services we explicitly trust.
Go through your browser settings right now and clear out any notification permissions you don’t absolutely need. And be super skeptical of any notification that asks you to click something – legitimate system alerts rarely work that way. This is one of those threats where user awareness might actually be more effective than any security software.
