Malicious actors behind the campaign tracked as Operation FlutterBridge are now deploying a new macOS backdoor dubbed FlutterShell through fraudulent Google and YouTube advertisements, marking an evolution in a long-running malvertising cluster.
FlutterShell: A Dual-Purpose Payload
Built using the Flutter framework, FlutterShell functions as both adware and a fully capable backdoor. According to Palo Alto Networks Unit 42, the malware supports arbitrary shell command execution, file system manipulation, and exfiltration of environment variables.
The campaign is attributed to a cybercrime group tracked as CL-CRI-1089, which has been active since at least 2023. All observed FlutterShell samples were signed with valid Apple Developer IDs and passed Apple’s notarization process, meaning automated security checks did not flag them as malicious at the time of submission.
Infection Chain and Malvertising Infrastructure
The attackers distribute malicious ads using a network of Google-verified shell companies, including AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED. These ads target macOS users in the U.S., Canada, Australia, France, and Germany.
Upon execution, FlutterShell modifies Google Chrome configuration files to hijack browser traffic. All searches and navigation are redirected through an attacker-controlled, ad-filled intermediary site, generating revenue for the threat actors while enabling further malicious activity.
Broader Campaign Context
Operation FlutterBridge is the latest stage of the JSCoreRunner activity cluster, first reported in August 2025. It also overlaps with the TamperedChef series of campaigns, which use trojanized productivity applications to deliver potentially unwanted programs and adware.
Records from YouControl and the U.K. Companies House register indicate that the shell companies all have links to Ukrainian individuals, though no Google Ads accounts remain active in the Transparency Center. Detections of FlutterShell were observed as recently as March 2026.
What This Means for Enterprise Security
This campaign demonstrates that Apple’s notarization process is not a reliable defense against macOS malware. Enterprises should treat malvertising as a persistent threat vector and enforce application allowlisting, endpoint detection, and browser security controls. The use of legitimate developer credentials and verified ad accounts underscores the need for layered defenses that do not rely solely on platform-level trust.
— Originally reported by The Hacker News. Adapted and republished with editorial context for MacThreat.
