Threats Tagged 'browser hijacking'

FlutterShell is a macOS backdoor campaign active from December 2025 to March 2026, identified as cluster CL-CRI-1089 under Operation FlutterBridge. The threat actors deliberately misused the Flutter framework to deliver malware through malvertising campaigns on Google and YouTube. The malware employs a two-component architecture: a thin Mach-O launcher and a large Flutter payload dylib. Across three generations, the operators rotated Apple Developer certificates, implemented progressive Dart obfuscation, and renamed bridge commands to evade detection. The backdoor uses a WKWebView to load attacker-controlled JavaScript from C2 servers, implementing a conditional execution model where commands are delivered at runtime via a JavaScript-to-native bridge called flutterInvoke. The primary impact includes Chrome browser hijacking to inject sinterfumesco[.]com as the default search provider and persistent infection through silent Sparkle framework updates.

An investigation into phishing activity targeting users across the Middle East and North Africa uncovered SniperDz, a centralized Push-Notification-as-a-Service and Phishing-as-a-Service platform. The operation uses fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations to promote fake offers including free mobile internet packages and financial compensation. Victims are redirected through trusted link-aggregation services like Linktree and Linkbio to evade detection. SniperDz provides 80 phishing templates mimicking over 30 global brands across financial services, social media, streaming, and gaming platforms. The infrastructure employs browser notification abuse, history manipulation creating a back-button prison, premium SMS subscriptions, premium-rate calls, investment scams, and affiliate marketing for monetization. Analysis revealed over 900 suspicious domains linked to shared hosting infrastructure and a recurring VAPID public key connecting multiple campai...

MediumCampaignAlgeria#sniperdz#phishing-as-a-service#browser hijacking

A financially-motivated cybercrime cluster designated CL-CRI-1089 has launched Operation FlutterBridge, deploying FlutterShell backdoor malware targeting macOS systems through malvertising. Built with the Flutter framework, FlutterShell masquerades as legitimate applications including podcast players and PDF viewers, delivering adware with full backdoor capabilities such as shell command execution and file system manipulation. The malware uses a WebView-based architecture with JavaScript-to-native bridge, allowing attackers to dynamically modify behavior without recompiling. Distribution occurs through hundreds of Google-verified advertisements controlled by shell companies including AdsParkPro LTD and Advantage Web Marketing LLC. The campaign primarily targets Anglophone and Western European markets. All samples were signed with valid Apple Developer IDs and successfully passed notarization, achieving zero detections on VirusTotal initially. The malware hijacks Google Chrome browsers, redirecting traffic ...