Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
Operation FlutterBridge is a malvertising campaign targeting macOS systems with the FlutterShell backdoor malware. The malware is disguised as legitimate applications and uses a Flutter-based WebView architecture with a JavaScript-to-native bridge to enable dynamic behavior changes. It is distributed via Google-verified ads controlled by shell companies and signed with valid Apple Developer IDs, passing notarization to evade detection. The malware enables full backdoor capabilities including shell command execution and file system manipulation, and hijacks Google Chrome browsers to redirect traffic. The campaign primarily targets Anglophone and Western European markets. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
A financially motivated cybercrime group, CL-CRI-1089, is conducting Operation FlutterBridge, deploying the FlutterShell backdoor on macOS via malvertising. FlutterShell masquerades as legitimate apps such as podcast players and PDF viewers, delivering adware with backdoor features like shell command execution and file system access. The malware leverages a WebView-based architecture with a JavaScript-to-native bridge, allowing attackers to modify its behavior dynamically without recompilation. Distribution is through hundreds of Google-verified ads managed by shell companies (AdsParkPro LTD, Advantage Web Marketing LLC). All malware samples are signed with valid Apple Developer IDs and notarized, initially evading detection on VirusTotal. The malware also hijacks Google Chrome browsers to redirect user traffic. The campaign targets primarily Anglophone and Western European users. There is no known exploit in the wild beyond this campaign, and no patch or official remediation is documented.
Potential Impact
The malware provides attackers with full backdoor capabilities on infected macOS systems, including executing shell commands and manipulating the file system. It also hijacks Google Chrome browser traffic, potentially enabling further malicious activities such as redirecting users to phishing or malicious sites. The use of valid Apple Developer IDs and notarization allows the malware to bypass typical macOS security controls and evade detection by antivirus solutions initially. This can lead to unauthorized access, data compromise, and persistent system control by the threat actors.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this threat. Since the malware relies on social engineering via malvertising and signed applications, users and organizations should exercise caution when installing new software, especially from unverified sources. Monitoring for suspicious domains and hashes associated with this campaign can aid detection. Due to the lack of an official fix, organizations should follow vendor advisories if they become available and consider blocking or filtering traffic from identified malicious domains. Regularly updating macOS and security software remains a best practice but may not fully prevent this threat due to its notarized nature.
Indicators of Compromise
- domain: atsheisdomestic.org
- domain: etoftheappyrince.org
- domain: healightejustb.org
- domain: sinterfumesco.com
- hash: 021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845
- hash: 30448686ec900d5213d74f08f0d2b7924c5336a29445b2a434aba8d8b19d7530
- hash: 363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34
- hash: 48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745
- hash: 644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70
- hash: 8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109
- hash: 9053e8ddaecca1f960c041c944ca8799fc71dc86a4b50d2639ee4e0d2cb82f47
- hash: 9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de
- hash: b60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea
- domain: ads-parkpro.com
- domain: adsparkpro.net
- domain: adsparkpro.top
- domain: softwe.art
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
Description
Operation FlutterBridge is a malvertising campaign targeting macOS systems with the FlutterShell backdoor malware. The malware is disguised as legitimate applications and uses a Flutter-based WebView architecture with a JavaScript-to-native bridge to enable dynamic behavior changes. It is distributed via Google-verified ads controlled by shell companies and signed with valid Apple Developer IDs, passing notarization to evade detection. The malware enables full backdoor capabilities including shell command execution and file system manipulation, and hijacks Google Chrome browsers to redirect traffic. The campaign primarily targets Anglophone and Western European markets. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A financially motivated cybercrime group, CL-CRI-1089, is conducting Operation FlutterBridge, deploying the FlutterShell backdoor on macOS via malvertising. FlutterShell masquerades as legitimate apps such as podcast players and PDF viewers, delivering adware with backdoor features like shell command execution and file system access. The malware leverages a WebView-based architecture with a JavaScript-to-native bridge, allowing attackers to modify its behavior dynamically without recompilation. Distribution is through hundreds of Google-verified ads managed by shell companies (AdsParkPro LTD, Advantage Web Marketing LLC). All malware samples are signed with valid Apple Developer IDs and notarized, initially evading detection on VirusTotal. The malware also hijacks Google Chrome browsers to redirect user traffic. The campaign targets primarily Anglophone and Western European users. There is no known exploit in the wild beyond this campaign, and no patch or official remediation is documented.
Potential Impact
The malware provides attackers with full backdoor capabilities on infected macOS systems, including executing shell commands and manipulating the file system. It also hijacks Google Chrome browser traffic, potentially enabling further malicious activities such as redirecting users to phishing or malicious sites. The use of valid Apple Developer IDs and notarization allows the malware to bypass typical macOS security controls and evade detection by antivirus solutions initially. This can lead to unauthorized access, data compromise, and persistent system control by the threat actors.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this threat. Since the malware relies on social engineering via malvertising and signed applications, users and organizations should exercise caution when installing new software, especially from unverified sources. Monitoring for suspicious domains and hashes associated with this campaign can aid detection. Due to the lack of an official fix, organizations should follow vendor advisories if they become available and consider blocking or filtering traffic from identified malicious domains. Regularly updating macOS and security software remains a best practice but may not fully prevent this threat due to its notarized nature.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/"]
- Adversary
- CL-CRI-1089
- Pulse Id
- 6a1ee9cdd897e06c7cac14d9
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainatsheisdomestic.org | — | |
domainetoftheappyrince.org | — | |
domainhealightejustb.org | — | |
domainsinterfumesco.com | — | |
domainads-parkpro.com | — | |
domainadsparkpro.net | — | |
domainadsparkpro.top | — | |
domainsoftwe.art | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845 | — | |
hash30448686ec900d5213d74f08f0d2b7924c5336a29445b2a434aba8d8b19d7530 | — | |
hash363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34 | — | |
hash48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745 | — | |
hash644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70 | — | |
hash8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109 | — | |
hash9053e8ddaecca1f960c041c944ca8799fc71dc86a4b50d2639ee4e0d2cb82f47 | — | |
hash9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de | — | |
hashb60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea | — |
Threat ID: 6a1ff4f1e29bf47b5098b498
Added to database: 6/3/2026, 9:33:37 AM
Last enriched: 6/3/2026, 9:48:39 AM
Last updated: 6/3/2026, 5:16:57 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.