{ "name": "Operation FlutterBridge: The FlutterShell macOS Backdoor", "slug": "operation-flutterbridge-the-fluttershell-macos-backdoor", "description": "FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.", "published": "2026-06-19T00:03:22.071000+00:00", "created_at": "2026-06-19T08:39:25.813000+00:00", "modified_at": null, "created_at_opencti": "2026-06-19T08:39:25.813000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "browser hijacking", "c2-conditional payload", "certificate rotation", "dart obfuscation", "flutter framework abuse", "fluttershell", "macos backdoor", "operation flutterbridge" ], "tags": [], "related_entities": { "indicators": [ { "id": "d5e93086-e390-460b-aa3b-9483322ab19a", "name": "atsheisdomestic.org" }, { "id": "d64897bf-5c18-4f23-ad8b-c1c7413b4449", "name": "https://healightejustb.org/welcome_page.js" }, { "id": "9928494b-ba34-4b55-86dd-90a7c0610498", "name": "bf90fb31e6024d7e6616f5acd0e8aa28738a9095a508c1a986e1e974cb9e79a0" }, { "id": "d6bb53fa-3bb4-41d1-a05b-250c44214e54", "name": "cc4f048e66c5ab3c0f1d767bb8fc464d082641f4888ea3cd14ea3775077c4bf2" }, { "id": "e51d6c57-5450-4c01-a6c7-bda661767a22", "name": "134517796178a150a1585672be134169d6877082b598d840baa3f37b0222be26" }, { "id": "37f745f8-1172-4b26-ad75-e36c0eac657f", "name": "etoftheappyrince.org" }, { "id": "d6fc2768-7888-457b-bdbd-0aa9c86472c1", "name": "2c5bc9e95e1e9b73e3ba8870a008802899866a2c0e2e10112aefddf7a96af04e" }, { "id": "f7999a33-4ebd-4725-be90-8efec4f3bb26", "name": "https://etoftheappyrince.org" }, { "id": "4f4e1a53-ec74-4559-801c-b0de3fb32d0b", "name": "32da1437a2734224406c7e5e8d756f0c0cd58c0c959478571cbfc0cd564d018a" }, { "id": "4c14b0fc-b000-45ea-8c78-2396740bf90c", "name": "event.process.parent.name" }, { "id": "93df773c-f5cc-4b67-be29-3e1b990b58c1", "name": "sinterfumesco.com" }, { "id": "36f4e0b5-3a65-48a5-8dfc-a3707a1fcd7d", "name": "fc091ddb4d845280aeb7745cfdb6b7cb0013abc35db9e634f055b8e8fb0b5b1e" }, { "id": "0232ae6c-f430-4486-b1ae-3cf638342c60", "name": "https://healightejustb.org/welcome_page.html" }, { "id": "8f15ca72-d21e-4a63-9a88-532ef8838078", "name": "https://atsheisdomestic.org/api/update-delay" }, { "id": "38ebabfb-a3de-4f3a-b215-244b7ba920a0", "name": "https://atsheisdomestic.org/api/subscribe" }, { "id": "459b404d-5044-44c0-85f4-71546642da73", "name": "https://atsheisdomestic.org/update-thanks.html" }, { "id": "e6cda8f0-d9a0-40c9-b629-cbc862c280ec", "name": "event.process.name" }, { "id": "62dbc6e9-67c8-4714-9241-544ba4374956", "name": "6c3f61d46d4de26b9cb16808bf17c33ae69f651a4b879e7b5612ff7f548e2a82" }, { "id": "17b62641-77c6-4fca-9bd3-e6fe0f5c4be9", "name": "f544bfab72d380cc20692d8ec9d31ea666785fe225dccd55beab29a3c0fdfad2" }, { "id": "91158831-73a7-4fdb-8dc8-be1fc6080577", "name": "https://healightejustb.org/api/central-config" }, { "id": "abec6fc6-d95f-4c82-9811-593c995af05a", "name": "https://atsheisdomestic.org/api/podcasts" }, { "id": "f134b327-251e-4c80-a56c-7b7b97d707ed", "name": "https://healightejustb.org/summarize-text" }, { "id": "37e6d4f1-1842-443b-8d5a-baa2323d4356", "name": "https://healightejustb.org/checkForNewVersion" }, { "id": "11ca922f-ffc4-44e9-b444-11ea7c0d3131", "name": "https://etoftheappyrince.org/..." }, { "id": "1287bc73-b2db-41e7-88e0-e997c91a1656", "name": "https://etoftheappyrince.org/api/pdfs" }, { "id": "c16c83f8-7fb1-487e-965f-c29ebfc076f3", "name": "363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34" }, { "id": "b6310dfa-1148-4969-9650-55da2b09548e", "name": "healightejustb.org" }, { "id": "52870a90-f66f-4891-b8ba-9875aab82047", "name": "https://etoftheappyrince.org/summarize-text" }, { "id": "07863820-0bba-48ac-bab9-93d638a2c713", "name": "https://etoftheappyrince.org/api/update-delay" }, { "id": "9f5527a9-8be5-4788-ad1d-e83358b4ee12", "name": "https://etoftheappyrince.org/update-thanks.html" } ], "attack_patterns": [ { "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e", "name": "T1185" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "743d2e0c-e5d5-4ccb-a6bd-0035c4e88c37", "name": "T1176" }, { "id": "880d45b0-e336-4f1a-8893-2796195f5500", "name": "T1543.001" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "2e0c6db7-16a7-4bf6-992e-263474014fce", "name": "T1059.004" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c22b5073-f426-4294-98bb-219d17345158", "name": "T1553.002" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "malware": [ { "id": "cd3e8e6c-1ae7-4f71-9608-42c321ee27f8", "name": "FlutterShell", "slug": "fluttershell" } ], "observables": [ { "id": "61823f36-a0d9-4803-af35-e82210f1617c", "name": "atsheisdomestic.org" }, { "id": "9391bdd4-5fd1-45d8-91bc-1321ed467196", "name": "sinterfumesco.com" }, { "id": "75c733ad-6a5f-4043-989d-824d27ee32c4", "name": "etoftheappyrince.org" }, { "id": "9492da52-ac51-48ca-902f-ed1124008adc", "name": "healightejustb.org" }, { "id": "b01f2049-5935-4b57-bce6-ab152f4a45f5", "name": "event.process.parent.name" }, { "id": "5cec7214-791e-42e8-9b0c-4818fdcfc027", "name": "event.process.name" }, { "id": "cb1a9d62-6867-44f7-ad87-0b9b6ee9a4d0", "name": "https://etoftheappyrince.org/api/update-delay" }, { "id": "fdc64aa9-2593-4907-afb4-01f02efc4030", "name": "https://atsheisdomestic.org/update-thanks.html" }, { "id": "e63db1e2-af6e-4599-97ff-32b0286345bc", "name": "https://healightejustb.org/welcome_page.js" }, { "id": "505a9998-d50b-4de4-ac05-69244eeb17c0", "name": "https://healightejustb.org/summarize-text" }, { "id": "3ea9aea3-266c-43c0-aadd-d137f1556863", "name": "https://etoftheappyrince.org/update-thanks.html" }, { "id": "bfd7990f-401a-47ea-9273-0c2f147f301c", "name": "https://atsheisdomestic.org/api/subscribe" }, { "id": "8d3191df-ee8f-438b-9fca-ee15b831d421", "name": "https://etoftheappyrince.org" }, { "id": "0c6a9dd4-e5cc-4295-ab42-1d66e4421e2c", "name": "https://etoftheappyrince.org/api/pdfs" }, { "id": "63172781-721d-4503-90c8-a5a1876a5f70", "name": "https://healightejustb.org/api/central-config" }, { "id": "50d79961-4df7-4b6f-8427-ae3086691ccb", "name": "https://atsheisdomestic.org/api/podcasts" }, { "id": "ecf016d7-c1cc-4e2f-a289-e1fc18b39d53", "name": "https://healightejustb.org/welcome_page.html" }, { "id": "b1dc6b99-b918-4add-abc8-f6f16fcb790f", "name": "https://atsheisdomestic.org/api/update-delay" }, { "id": "04b5890b-bc75-48f4-821b-05617ff8248f", "name": "https://healightejustb.org/checkForNewVersion" }, { "id": "59fc4741-5692-4da0-b051-5b8f96d8dcc8", "name": "https://etoftheappyrince.org/..." }, { "id": "499de114-c84a-4adf-a7ad-4c16b3b4829a", "name": "https://etoftheappyrince.org/summarize-text" } ] }, "external_refs": [ { "id": "a464b3c7-5e07-4156-86a5-c6d354b6978e", "standard_id": "external-reference--bde7646c-3db7-5a1d-a063-cf8727ee1926", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a34874a01c1f77a4c242d5b", "hash": null, "external_id": "6a34874a01c1f77a4c242d5b", "created": "2026-06-19T08:39:25.726Z", "modified": "2026-06-19T08:39:25.726Z", "createdById": null }, { "id": "1b8cdfe7-7332-42ce-b0fe-1d65f39481ed", "standard_id": "external-reference--bfdd65d2-018e-59ab-97ef-0be8969f739e", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://www.levelblue.com/blogs/spiderlabs-blog/operation-flutterbridge-the-fluttershell-macos-backdoor", "hash": null, "external_id": null, "created": "2026-06-19T08:39:25.752Z", "modified": "2026-06-19T08:39:25.752Z", "createdById": null } ] }