FlutterShell Backdoor Targets macOS Users via Malicious Ads
Cybersecurity experts have identified a sophisticated malvertising campaign, dubbed Operation FlutterBridge, that targets macOS users with a new backdoor named FlutterShell. This campaign represents an evolution of the previously reported JSCoreRunner activity observed in August 2025, with the cybercriminal group CL-CRI-1089 being active since at least 2023.
FlutterShell is constructed using the Flutter framework, enabling it to infect systems with adware through deceptive desktop applications. Beyond its adware capabilities, FlutterShell functions as a backdoor, allowing attackers to execute shell commands and manipulate the file system on compromised devices.
The attackers employ malicious advertisements on platforms like Google and YouTube, utilizing a network of Google-verified shell companies to distribute these ads. These advertisements lure users into downloading malware disguised as legitimate desktop applications. Notable front companies involved include AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED (now PACIFIC TRADE SOLUTIONS LTD), all linked to individuals in Ukraine.
Targeting macOS users in the U.S., Canada, Australia, France, and Germany, the campaign has been active as recently as March 2026. Upon execution, FlutterShell modifies Google Chrome’s configuration files to redirect all traffic through an attacker-controlled, ad-laden intermediary site. The malware samples were signed with valid Apple Developer IDs and passed Apple’s notarization process, allowing them to bypass security checks at the time of submission.
A distinctive feature of FlutterShell is its WebView-based architecture, which utilizes a JavaScript-to-native bridge. This design allows the malware to host malicious logic on external websites, enabling dynamic behavior modification without the need to recompile or update the binary on infected systems.
Three variants of FlutterShell have been identified: PodcastsLounge, PDF-Brain, and PDF-Ninja. The presence of unfinished functions in the JavaScript code suggests ongoing development and refinement of the malware.
This campaign underscores the increasing sophistication of threats targeting macOS users and highlights the importance of vigilance when downloading applications and clicking on online advertisements.
