Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
Essential information
- Published
- 02/06/2026 14:33
- Modified
- 03/06/2026 09:35
- Tags
- 2026-06-02 backdoor browser hijacking calendaromatic flutterbridge fluttershell google ads javascript bridge jscorerunner macos recipelister shell companies
- Related entities
- 9 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware, 8 others
Description
A financially-motivated cybercrime cluster designated CL-CRI-1089 has launched Operation FlutterBridge, deploying FlutterShell backdoor malware targeting macOS systems through malvertising. Built with the Flutter framework, FlutterShell masquerades as legitimate applications including podcast players and PDF viewers, delivering adware with full backdoor capabilities such as shell command execution and file system manipulation. The malware uses a WebView-based architecture with JavaScript-to-native bridge, allowing attackers to dynamically modify behavior without recompiling. Distribution occurs through hundreds of Google-verified advertisements controlled by shell companies including AdsParkPro LTD and Advantage Web Marketing LLC. The campaign primarily targets Anglophone and Western European markets. All samples were signed with valid Apple Developer IDs and successfully passed notarization, achieving zero detections on VirusTotal initially. The malware hijacks Google Chrome browsers, redirecting traffic ...