Operation FlutterBridge: macOS malvertising campaign distributes FlutterShell backdoor via Google Ads
Financially-motivated threat cluster CL-CRI-1089 evolved from JSCoreRunner adware to deploy FlutterShell, a Flutter-based macOS backdoor with shell execution, file manipulation, and AI-powered data exfiltration capabilities, distributed through hundreds of Google-verified malicious advertisements.
Attack Brief
TargetmacOS users; Google Ads platformVectorMalvertising via Google Ads; trojanized desktop applications (podcast player, PDF viewers) masquerading as legitimate softwareAttributionCL-CRI-1089 (financially-motivated cybercrime cluster)
Technical Details
MITRE ATT&CKT1204.001T1059.004T1083T1005T1041IoCsPodcastsLounge (application name)AffectedFlutterShell variants masquerading as podcast player and PDF viewer applications; all observed samples signed with valid Apple Developer IDs and passed Apple notarization
Impact
SectorsGeneral population (global, emphasis on Anglophone and Western European markets)Confirmed DamageBrowser hijacking (Google Chrome configuration modification to force traffic through attacker-controlled ad-filled intermediary); data exfiltration via AI summarization features routing documents through attacker-controlled servers
Mitigation
DetectionMonitor for unsigned or recently-signed macOS applications; inspect Google Chrome configuration files for unauthorized proxy/intermediary redirects; hunt for WebView-based Flutter applications communicating with external JavaScript-hosting infrastructure; analyze Dart binaries using blutter tool for malicious logic reconstruction
Context
Previous CampaignsJSCoreRunner (macOS, August 2025); RecipeLister and Calendaromatic (Windows); broader cluster previously tracked as TamperedChef by other vendors; CL-CRI-1089 operational since at least 2023