FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads

Severity

Medium

Detail

Cybersecurity researchers have uncovered a macOS malvertising campaign known as Operation FlutterBridge, which distributes a new backdoor called FlutterShell. The activity is attributed to a threat cluster tracked as CL-CRI-1089, a group active since at least 2023 and previously linked to the JSCoreRunner (FileRipple), Recipe Lister, and Calendaromatic campaigns.

The operation uses malicious advertisements and trojanized productivity applications to infect macOS users, combining adware functionality with backdoor capabilities that enable remote system access and data theft.

How?

The attack begins with malicious Google and YouTube advertisements that impersonate legitimate software offerings. These ads are distributed through Google-verified shell companies and target macOS users primarily in the United States, Canada, Australia, France, and Germany.

Victims who download and install the advertised applications unknowingly deploy FlutterShell, a Flutter-based malware signed with valid Apple Developer IDs and successfully notarized by Apple, allowing it to bypass initial security checks and appear legitimate.

Once executed, FlutterShell modifies Google Chrome configuration files and redirects browser traffic through attacker-controlled intermediary websites filled with advertisements. At the same time, the malware establishes backdoor access, enabling attackers to execute shell commands, interact with the file system, and collect environment information from compromised systems.

Unlike traditional malware that embeds most of its functionality within the binary, FlutterShell uses a WebView-based architecture with a JavaScript-to-native bridge. This allows malicious code to be hosted remotely and delivered dynamically from attacker-controlled servers, enabling operators to modify functionality, deploy new capabilities, and update malicious logic without reinstalling or updating the malware.

Researchers also observed variants capable of system fingerprinting, browser session theft, and AI-powered document summarization. In these cases, documents are routed through attacker-controlled infrastructure before processing, creating opportunities for sensitive data exposure.

Conclusion

Operation FlutterBridge demonstrates the continued effectiveness of malvertising campaigns and highlights how threat actors are increasingly leveraging trusted software signing processes, legitimate advertising platforms, and dynamic WebView-based architectures to evade detection.

Organizations and users should exercise caution when downloading software from advertisements, verify application publishers before installation, and monitor for unexpected browser configuration changes or unauthorized outbound communications. Security teams should also inspect notarized applications for suspicious behavior, as valid code signing and notarization do not guarantee that software is safe.

Source

https://thehackernews.com/2026/06/fluttershell-backdoor-spreads-to-macos.html