A newly identified macOS backdoor, dubbed FlutterShell, has been covertly targeting Mac users by masquerading as legitimate productivity applications. This malware leverages Google’s Flutter app development framework to seamlessly blend with authentic software, thereby evading detection by conventional security tools. Active between December 2025 and March 2026, researchers have tracked three distinct iterations of this threat.
The campaign, referred to as Operation FlutterBridge and identified by the cluster code CL-CRI-1089, disseminated the malware through malicious advertisements on platforms like Google and YouTube. These ads specifically targeted users searching for terms such as “podcast app for Mac” or “free PDF converter,” redirecting them to counterfeit websites hosting digitally signed application bundles. Due to the presence of valid Apple Developer certificates at the time of distribution, macOS Gatekeeper permitted these applications to run without issuing any warnings.
Analysts conducted a comprehensive static analysis of ten Mach-O binary samples spanning all three generations of FlutterShell. Instead of revisiting the broader campaign, the focus was on the binaries’ design, evolution, and potential detection methods as the threat actors continually altered their infrastructure.
FlutterShell’s architecture comprises two primary components: a minimal stub launcher that initializes the Flutter runtime and a substantial payload library containing the actual Dart code and attack logic. The payload library, approximately 10 MB in size, includes the complete Flutter framework alongside custom commands. This structure allows the malware to pass basic inspections, as the launcher closely resembles legitimate Flutter applications.
A particularly challenging aspect of FlutterShell is its command-and-control (C2) conditional design. The malware remains dormant until it receives live instructions from an attacker-controlled server. In sandbox environments, the binary launches, displays a functional application interface, and exhibits no further activity. Without a live server response, the malware appears inactive and harmless.
Exploitation of WKWebView for Dynamic Command Execution
FlutterShell’s most notable feature is its method of receiving commands from its operators. Instead of embedding instructions within the binary, the malware opens a concealed WKWebView window and loads a page from an attacker-controlled domain. This page delivers JavaScript to the application, which then passes commands through a named message channel called flutterInvoke.
This design allows operators to modify the malware’s behavior at any time by simply updating their server content, without altering the binary itself. The bridge command evolved across generations: named exec_sync in the first, renamed pdf_sync in the second, and changed to renderPDF in the third, disguising activities as typical behavior of a PDF application. Detection rules tied to specific command names become ineffective as the threat actors update their server-side content.
Adaptive Evasion and Persistence Strategies
Across all three generations, the threat actors demonstrated deliberate efforts to rotate their identities. After Apple revoked the first developer certificate on December 31, 2025, a new generation emerged with a different certificate, maintaining the malware’s distribution. This adaptive approach complicates detection and mitigation efforts.
FlutterShell’s use of the Flutter framework and WKWebView for dynamic command execution underscores the evolving sophistication of macOS malware. By exploiting legitimate development tools and dynamically loading commands, the malware achieves a high level of stealth and adaptability. This case highlights the necessity for continuous vigilance and advanced detection mechanisms to counteract such sophisticated threats.
