Skip to content

FlutterShell Backdoor Spreads to macOS via Manipulated Google and YouTube Ads

Bottom line: A new backdoor campaign distributes FlutterShell via ads on Google and YouTube, specifically targeting macOS systems.

A macOS malvertising campaign called Operation FlutterBridge spreads a new backdoor named FlutterShell through ad networks. Palo Alto Networks Unit 42 identifies the campaign as a continuation of JSCoreRunner activities from August 2025.

Cybersecurity researchers at Palo Alto Networks Unit 42 document a macOS malvertising campaign named Operation FlutterBridge that distributes the new backdoor FlutterShell. The campaign is described as the next phase of a previously documented activity chain that became known in August 2025 as JSCoreRunner or FileRipple.

The distribution method exploits manipulated ads on Google and YouTube to redirect users to infected sites. FlutterShell represents an escalation in backdoor capabilities and targets macOS systems in enterprise environments. The technical connection between the current campaign and JSCoreRunner points to the same attacker group refining its tactics.

Implication relevant for CISOs: Malvertising through established ad networks such as Google and YouTube poses a particular challenge, as legitimate platforms are exploited as attack vectors. The target platform macOS is often perceived as more secure and could be underrepresented in existing security policies. Organizations should update browser security, phishing awareness, and macOS-specific endpoint detection to current standards.


Source: thehackernews.com · Published 4 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.2.9.

Share on: