Skip to content

Backdoor FlutterShell spreads via manipulated Google ads on macOS

Bottom line: A group active since 2023 distributes the macOS backdoor FlutterShell through Google-verified shell companies, which is signed with valid Apple IDs and can be remotely controlled in real time.

Security researchers from Palo Alto Networks have uncovered Operation FlutterBridge, a campaign that distributes a new backdoor called FlutterShell on macOS systems via forged Google and YouTube ads. The group CL-CRI-1089 behind it uses Google-verified shell companies to place their ads.

The attacks specifically target macOS users in the USA, Canada, Australia, France, and Germany. The criminal group relies on malvertising: it registered several shell companies such as AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED (later PACIFIC TRADE SOLUTIONS LTD), which were verified as legitimate by Google. According to business registrations in the United Kingdom and Ukraine, there are connections to Ukrainian citizens. According to the report, the group has been active since at least 2023 and had already conducted campaigns in August 2025 under the names JSCoreRunner and FileRipple.

FlutterShell combines the functionality of adware with a full-fledged backdoor. The malware, programmed using Google’s Flutter framework, can execute arbitrary shell commands, interact with the file system, and read environment variables. After execution, it modifies the Chrome configuration and redirects all browser traffic through an attacker-controlled advertising platform. All discovered variants carried valid Apple developer IDs and successfully passed through Apple’s automated notarization checks.

The malware uses a WebView-based architecture that links JavaScript with native system functions. This enables operators to host the malware logic on external servers and thus change the malware behavior in real time without recompiling the software or rolling out updates to infected machines. Security researchers from Unit 42 have identified three variants so far: PodcastsLounge, PDF-Brain, and PDF-Ninja.


Source: www.it-daily.net · Published June 8, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: