Cybercrime Group Utilizes Malicious Ads to Spread FlutterShell Backdoor to macOS Users
A cybersecurity campaign known as Operation FlutterBridge is targeting macOS users through malicious Google and YouTube ads, spreading a backdoor called FlutterShell. According to Palo Alto Networks Unit 42, the campaign is linked to a cybercrime group tracked as CL-CRI-1089, active since at least 2023. FlutterShell, built using the Flutter framework, infects targets with adware and possesses backdoor capabilities, including shell command execution and file system manipulation. The campaign uses Google-verified shell companies to distribute ads that trick users into downloading malware disguised as legitimate applications. The target audience includes macOS users in the U.S., Canada, Australia, France, and Germany. The malware modifies Google Chrome configuration files to hijack the browser, forcing traffic through an attacker-controlled site. FlutterShell's WebView-based architecture allows dynamic alteration of malware behavior without recompiling. 
