-
Researchers uncovered a new macOS malware campaign that uses fraudulent Google and YouTube advertisements to distribute a backdoor called FlutterShell.
-
The malware can execute remote commands, manipulate files, steal browser data, and reroute web traffic through attacker-controlled websites.
-
Security experts say the operation marks a major evolution of a cybercrime group that has been active for several years and continues to expand its infrastructure.
Cybersecurity researchers have uncovered a new malware campaign that targets macOS users through malicious advertisements on Google and YouTube. The operation, dubbed Operation FlutterBridge, delivers a newly identified backdoor known as FlutterShell through applications disguised as legitimate desktop software.
According to Palo Alto Networks Unit 42, the campaign represents the latest stage in an activity cluster previously linked to JSCoreRunner, also known as FileRipple, which researchers reported in August 2025. Investigators track the threat actors behind both campaigns as CL-CRI-1089, a cybercrime group believed to have been operating since at least 2023.
Unit 42 reported that the attackers built FlutterShell using Google’s Flutter framework. The malware installs adware on infected systems while also providing attackers with powerful backdoor functionality. Researchers said the malware can execute shell commands and manipulate files stored on compromised devices.
Fake Ads Drive Malware Distribution
Researchers linked FlutterShell to a broader collection of campaigns that includes Recipe Lister and Calendaromatic. These operations fall under a larger activity cluster known as TamperedChef, also referred to as EvilAI, which relies on trojanized productivity software to distribute potentially unwanted programs and adware.
The attackers use Google and YouTube advertisements as bait, presenting malicious applications as legitimate software downloads. To increase credibility, they reportedly operate through multiple Google-verified shell companies.
Researchers identified several entities connected to the campaign, including AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED, which now operates as PACIFIC TRADE SOLUTIONS LTD.
The campaign primarily targets macOS users in the United States, Canada, Australia, France, and Germany. While the associated Google Ads accounts are no longer publicly accessible through Google’s transparency tools, records reviewed by researchers suggest the companies have ties to individuals in Ukraine.
Investigators observed FlutterShell activity as recently as March 2026. They found that the malware supports arbitrary command execution, file system interaction, and the theft of environment variables from infected systems.
Researchers also noted that the malware alters Google Chrome configuration files after installation. According to the research team, the malware hijacks the browser and redirects user traffic through an intermediary website controlled by the attackers and filled with advertisements.
They further noted that every sample they analyzed carried a valid Apple Developer ID and successfully passed Apple’s notarization process, allowing the malware to bypass automated security checks when it was submitted.
This isn’t the only threat bypassing Apple’s defenses. Apple macOS users are at risk from sophisticated phishing malware that bypasses privacy controls, highlighting the evolving security challenges on the platform.
Web-Based Design Makes FlutterShell More Dangerous
One of FlutterShell’s most significant features is its WebView-based architecture. Instead of embedding all malicious functionality directly inside the malware, the attackers host much of the logic on external websites.
According to Unit 42, the architecture uses a JavaScript-to-native bridge that allows web content and native applications to communicate with each other. This design enables attackers to modify the malware’s behavior in real time without recompiling or redistributing new malware samples.
Researchers identified three FlutterShell variants: PodcastsLounge, PDF-Brain, and PDF-Ninja. They also discovered unfinished code within the attackers’ infrastructure, which suggests active development remains underway.
Some variants, particularly PDF-Brain and PDF-Ninja, include AI-powered document summarization features. However, the functionality routes user documents through attacker-controlled servers before processing them, creating additional privacy and security risks. Researchers also found capabilities for system fingerprinting and browser session theft.
Campaign Shows Growing Sophistication
Investigators discovered several technical similarities between FlutterShell, Calendaromatic, and Recipe Lister, particularly their shared WebView-based architecture that supports dynamic payload updates.
Researchers also observed that Advantage Web Marketing LLC not only promoted malicious advertisements but also signed Windows adware variants linked to the same operation.
According to Unit 42, the transition from JSCoreRunner to FlutterShell demonstrates a substantial increase in the group’s technical sophistication.
Researchers added that the campaign’s extensive distribution network and use of verified shell companies to bypass advertising platform reviews underscore the ongoing threat posed by malvertising.
They also warned that the rapid creation of new FlutterShell variants and the coordinated infrastructure supporting them indicate that the operation remains active and is unlikely to end anytime soon.
