Operation FlutterBridge: The FlutterShell macOS Backdoor
Essential information
- Published
- 19/06/2026 02:03
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- browser hijacking c2-conditional payload certificate rotation dart obfuscation flutter framework abuse fluttershell macos backdoor operation flutterbridge
- Related entities
- 30 indicators, 21 observables, 12 techniques (mitre), 1 malware
Description
FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.