Operation FlutterBridge: The FlutterShell macOS Backdoor
Operation FlutterBridge involves the FlutterShell macOS backdoor active from December 2025 to March 2026. The malware abuses the Flutter framework to deliver a two-component payload via malvertising on Google and YouTube. It uses a Mach-O launcher and a Flutter payload dylib with obfuscated Dart code and rotated Apple Developer certificates to evade detection. The backdoor loads attacker-controlled JavaScript through a WKWebView and executes commands via a JavaScript-to-native bridge. Its primary impact includes hijacking the Chrome browser to set a malicious default search provider and maintaining persistence through silent Sparkle framework updates.
AI Analysis
Technical Summary
FlutterShell is a macOS backdoor campaign identified as cluster CL-CRI-1089 under Operation FlutterBridge, active between December 2025 and March 2026. The threat actors exploited the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware architecture consists of a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, operators rotated Apple Developer certificates, progressively obfuscated Dart code, and renamed bridge commands to avoid detection. The backdoor uses a WKWebView component to load JavaScript from command and control servers, implementing a conditional execution model via a JavaScript-to-native bridge named flutterInvoke. The malware's main impact is hijacking the Chrome browser by injecting sinterfumesco[.]com as the default search provider and establishing persistence through silent updates using the Sparkle framework.
Potential Impact
The malware hijacks the Chrome browser on infected macOS systems to set a malicious default search provider, potentially redirecting users to attacker-controlled sites. It maintains persistence through silent updates delivered via the Sparkle framework, enabling long-term presence on compromised devices. The use of rotated Apple Developer certificates and Dart obfuscation complicates detection and removal efforts.
Mitigation Recommendations
No official patch or remediation is indicated for this malware campaign. Since this is a malware infection delivered via malvertising and abusing legitimate frameworks, mitigation should focus on user awareness to avoid suspicious ads and downloads, monitoring for unusual browser behavior such as unexpected search provider changes, and employing endpoint detection tools capable of identifying malicious Mach-O binaries and suspicious use of the Sparkle framework. Incident response should include removal of the malware components and revocation of any compromised certificates if possible. Patch status is not yet confirmed — check vendor advisories and security community updates for current remediation guidance.
Indicators of Compromise
- domain: atsheisdomestic.org
- domain: etoftheappyrince.org
- domain: healightejustb.org
- domain: sinterfumesco.com
- hash: 363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34
- hash: 638b0a77a6d686849a78b500adf5e565
- hash: c40126fea6ed24652a3e4e19205075cb02cca3e2
- url: https://atsheisdomestic.org/update-thanks.html
- hash: 605169623267c4eb73693b22b811dc7a
- hash: b4aa7255af4b016586090a5b451300fa
- hash: ffd773f157df70291f0910a45a1d8d9a
- hash: 134517796178a150a1585672be134169d6877082b598d840baa3f37b0222be26
- hash: 2c5bc9e95e1e9b73e3ba8870a008802899866a2c0e2e10112aefddf7a96af04e
- hash: 32da1437a2734224406c7e5e8d756f0c0cd58c0c959478571cbfc0cd564d018a
- hash: 6c3f61d46d4de26b9cb16808bf17c33ae69f651a4b879e7b5612ff7f548e2a82
- hash: bf90fb31e6024d7e6616f5acd0e8aa28738a9095a508c1a986e1e974cb9e79a0
- hash: cc4f048e66c5ab3c0f1d767bb8fc464d082641f4888ea3cd14ea3775077c4bf2
- hash: f544bfab72d380cc20692d8ec9d31ea666785fe225dccd55beab29a3c0fdfad2
- hash: fc091ddb4d845280aeb7745cfdb6b7cb0013abc35db9e634f055b8e8fb0b5b1e
- url: https://atsheisdomestic.org/api/podcasts
- url: https://atsheisdomestic.org/api/subscribe
- url: https://atsheisdomestic.org/api/update-delay
- url: https://etoftheappyrince.org
- url: https://etoftheappyrince.org/...
- url: https://etoftheappyrince.org/api/pdfs
- url: https://etoftheappyrince.org/api/update-delay
- url: https://etoftheappyrince.org/summarize-text
- url: https://etoftheappyrince.org/update-thanks.html
- url: https://healightejustb.org/api/central-config
- url: https://healightejustb.org/checkForNewVersion
- url: https://healightejustb.org/summarize-text
- url: https://healightejustb.org/welcome_page.html
- url: https://healightejustb.org/welcome_page.js
- hash: a247a63644c3475f436d076f55523ea39afd8c41
- hash: bb1e6e2650d3d77d732c5eb5176011f914dd87df
- domain: event.process.name
- domain: event.process.parent.name
Operation FlutterBridge: The FlutterShell macOS Backdoor
Description
Operation FlutterBridge involves the FlutterShell macOS backdoor active from December 2025 to March 2026. The malware abuses the Flutter framework to deliver a two-component payload via malvertising on Google and YouTube. It uses a Mach-O launcher and a Flutter payload dylib with obfuscated Dart code and rotated Apple Developer certificates to evade detection. The backdoor loads attacker-controlled JavaScript through a WKWebView and executes commands via a JavaScript-to-native bridge. Its primary impact includes hijacking the Chrome browser to set a malicious default search provider and maintaining persistence through silent Sparkle framework updates.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FlutterShell is a macOS backdoor campaign identified as cluster CL-CRI-1089 under Operation FlutterBridge, active between December 2025 and March 2026. The threat actors exploited the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware architecture consists of a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, operators rotated Apple Developer certificates, progressively obfuscated Dart code, and renamed bridge commands to avoid detection. The backdoor uses a WKWebView component to load JavaScript from command and control servers, implementing a conditional execution model via a JavaScript-to-native bridge named flutterInvoke. The malware's main impact is hijacking the Chrome browser by injecting sinterfumesco[.]com as the default search provider and establishing persistence through silent updates using the Sparkle framework.
Potential Impact
The malware hijacks the Chrome browser on infected macOS systems to set a malicious default search provider, potentially redirecting users to attacker-controlled sites. It maintains persistence through silent updates delivered via the Sparkle framework, enabling long-term presence on compromised devices. The use of rotated Apple Developer certificates and Dart obfuscation complicates detection and removal efforts.
Mitigation Recommendations
No official patch or remediation is indicated for this malware campaign. Since this is a malware infection delivered via malvertising and abusing legitimate frameworks, mitigation should focus on user awareness to avoid suspicious ads and downloads, monitoring for unusual browser behavior such as unexpected search provider changes, and employing endpoint detection tools capable of identifying malicious Mach-O binaries and suspicious use of the Sparkle framework. Incident response should include removal of the malware components and revocation of any compromised certificates if possible. Patch status is not yet confirmed — check vendor advisories and security community updates for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/operation-flutterbridge-the-fluttershell-macos-backdoor"]
- Adversary
- null
- Pulse Id
- 6a34874a01c1f77a4c242d5b
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainatsheisdomestic.org | — | |
domainetoftheappyrince.org | — | |
domainhealightejustb.org | — | |
domainsinterfumesco.com | — | |
domainevent.process.name | — | |
domainevent.process.parent.name | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34 | — | |
hash638b0a77a6d686849a78b500adf5e565 | — | |
hashc40126fea6ed24652a3e4e19205075cb02cca3e2 | — | |
hash605169623267c4eb73693b22b811dc7a | — | |
hashb4aa7255af4b016586090a5b451300fa | — | |
hashffd773f157df70291f0910a45a1d8d9a | — | |
hash134517796178a150a1585672be134169d6877082b598d840baa3f37b0222be26 | — | |
hash2c5bc9e95e1e9b73e3ba8870a008802899866a2c0e2e10112aefddf7a96af04e | — | |
hash32da1437a2734224406c7e5e8d756f0c0cd58c0c959478571cbfc0cd564d018a | — | |
hash6c3f61d46d4de26b9cb16808bf17c33ae69f651a4b879e7b5612ff7f548e2a82 | — | |
hashbf90fb31e6024d7e6616f5acd0e8aa28738a9095a508c1a986e1e974cb9e79a0 | — | |
hashcc4f048e66c5ab3c0f1d767bb8fc464d082641f4888ea3cd14ea3775077c4bf2 | — | |
hashf544bfab72d380cc20692d8ec9d31ea666785fe225dccd55beab29a3c0fdfad2 | — | |
hashfc091ddb4d845280aeb7745cfdb6b7cb0013abc35db9e634f055b8e8fb0b5b1e | — | |
hasha247a63644c3475f436d076f55523ea39afd8c41 | — | |
hashbb1e6e2650d3d77d732c5eb5176011f914dd87df | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://atsheisdomestic.org/update-thanks.html | — | |
urlhttps://atsheisdomestic.org/api/podcasts | — | |
urlhttps://atsheisdomestic.org/api/subscribe | — | |
urlhttps://atsheisdomestic.org/api/update-delay | — | |
urlhttps://etoftheappyrince.org | — | |
urlhttps://etoftheappyrince.org/... | — | |
urlhttps://etoftheappyrince.org/api/pdfs | — | |
urlhttps://etoftheappyrince.org/api/update-delay | — | |
urlhttps://etoftheappyrince.org/summarize-text | — | |
urlhttps://etoftheappyrince.org/update-thanks.html | — | |
urlhttps://healightejustb.org/api/central-config | — | |
urlhttps://healightejustb.org/checkForNewVersion | — | |
urlhttps://healightejustb.org/summarize-text | — | |
urlhttps://healightejustb.org/welcome_page.html | — | |
urlhttps://healightejustb.org/welcome_page.js | — |
Threat ID: 6a34ff64f198dc38c1cec3be
Added to database: 6/19/2026, 8:35:48 AM
Last enriched: 6/19/2026, 8:50:04 AM
Last updated: 6/19/2026, 3:26:47 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.