When the interface becomes the attack surface

Attackers are getting in through the UI. Over the last few weeks, three campaigns (Tsundere, Matrix Push C2 and Sturnus) have shown how threat actors are turning ordinary interface features into command channels, surveillance layers and initial access vectors. It’s a development that’s pushing cybersecurity practitioners to rethink how they approach ‘trusted’ user experiences.

Tsundere: a blockchain-powered botnet hiding in game installers

If you needed a reminder that initial access is now UX engineering, the Tsundere botnet is a good place to start. 

Researchers at Kaspersky (as reported by The Hacker News) found that Tsundere was delivered in at least one observed case via an MSI installer downloaded through a compromised RMM tool, and that artefact names such as Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) suggest the operator may be using game-related lures – potentially aimed at users searching for pirated or portable builds.

Once executed, the installer quietly drops Node.js, runs npm install, and pulls in three modules:

• ws for WebSocket-based command-and-control
• pm2 for persistence, auto-restart and registry-based autoruns
• ethers to interact with Ethereum, where Tsundere stores its C2 ‘address book’

That last detail is the twist. Instead of hard-coded IPs, Tsundere queries a smart contract created in September 2024 which stores the live C2 endpoint (e.g., ws://193.24.123[.]68:3011). This is decentralised infrastructure as resilience: no DNS, no central server, and no quick way to take down the lookup mechanism.

The operator panel behind Tsundere is equally telling. According to Kaspersky’s researchers, it can generate new MSI or PowerShell payloads, convert bots into proxies for routing malicious traffic, and even browse other botnets for purchase – showing that malware operators increasingly behave like DevOps teams with product dashboards.

And importantly, Tsundere makes the installer itself a core part of the tradecraft. It exploits user trust in familiar app names and the convenience of ‘just install and play’. The attack starts at the interface.

Matrix Push C2: your browser notifications as a control channel

If Tsundere abuses the installer, Matrix Push C2 abuses the browser.

Instead of starting with a traditional malware dropper, this service turns web push notifications into a long-lived fileless C2 and phishing mechanism – as detailed in a new report from Blackfog. 

Victims only need to do one thing: click ‘Allow notifications’. From that moment, attackers can send OS-native alerts that look legitimate – ‘Suspicious login detected’, ‘Browser update required’, ‘Password expired’. The notification carries a phishing link; the browser becomes the delivery pipeline.

Matrix Push is sold as malware-as-a-service, with subscription tiers starting at USD $150 per month. Operators get a sleek dashboard to:

• push phishing notifications
• shorten URLs
• fingerprint browsers and log installed extensions
• harvest crypto wallet details
• deploy templates impersonating PayPal, Cloudflare, MetaMask, Netflix, TikTok, and others

Because everything happens inside the browser, the campaign is cross-platform by default and bypasses many endpoint controls. No download, no binary, no signature.

And the defensive challenge is almost philosophical: the attack depends on a user-interface decision – one that’s usually treated as benign UX, not a security gateway.

Sturnus: Android overlays and accessibility abuse in the wild

Tsundere and Matrix Push show how attackers hide in everyday desktop interfaces. And Sturnus shows how that logic extends to mobile.

It’s a new Android banking trojan in early testing, likely targeting financial institutions across Southern and Central Europe. In a report by ThreatFabric, researchers explain how it masquerades as apps including Google Chrome and Preemix Box, then requests broad accessibility service permissions – the point at which the user interface becomes the real attack surface.

Once granted, Sturnus can:

• log keystrokes and inspect UI elements
• trigger taps, swipes and text entry remotely
• launch apps, approve permissions and manipulate screens
• deploy black-screen overlays to hide activity

Its core capability is overlay-based credential theft. It draws fake banking login screens over real apps, then disables the overlay once credentials are captured – a subtle touch designed to minimise suspicion.

The privacy angle is brutal. Because Sturnus captures data at the screen layer, it can read WhatsApp, Telegram and Signal messages after they’re decrypted for display. It also blocks removal by detecting when users try to revoke admin rights and redirecting them away from system settings.

In short, Sturnus turns the Android UI itself into both the surveillance tool and the persistence mechanism.

Three important notes for defenders 

1. Interface permissions are now security controls.
   Notifications, accessibility, overlays, installers – none of them are ‘just UX’ anymore. They’re high-risk gateways that need policy.
   
2. Decentralised, browser-native, and UI-layer C2 reduces detection visibility.
   Tsundere’s Ethereum lookup and Matrix Push’s push notification channel weaken traditional IOC and infrastructure-based monitoring.
   
3. Mobile and browser telemetry gaps are becoming structural weaknesses.
   Many organisations have strong EDR on laptops but almost no visibility into Android accessibility misuse or browser notification sprawl.

The thread running through all these cases is that attackers are moving into the seams between UX design and security architecture. So cybersecurity practitioners will need to treat those seams as part of the perimeter.