Operation FlutterBridge is a widespread macOS malvertising campaign tied to CL-CRI-1089 that delivers FlutterShell, a Flutter-based backdoor masquerading as legitimate apps while also enabling adware and data exfiltration. The campaign uses verified Google Ads and shell companies to distribute rapidly evolving variants that hijack Google Chrome, execute shell commands, and in some cases forward documents through attacker infrastructure for AI summarization and theft. #FlutterShell #OperationFlutterBridge #CL-CRI-1089 #JSCoreRunner #AdsParkProLTD #AdvantageWebMarketingLLC #SOFTWEARTLIMITED
Keypoints
- Operation FlutterBridge is the latest stage of a malvertising campaign targeting macOS users and is linked to the CL-CRI-1089 activity cluster.
- The payload, FlutterShell, is built with Flutter and disguises itself as legitimate desktop apps such as podcast players and PDF viewers.
- FlutterShell functions as both adware and a backdoor, with capabilities for arbitrary command execution, file manipulation, and environment-variable harvesting.
- The campaign distributes malware through hundreds of Google-verified ads and shell companies, including AdsParkPro LTD and Advantage Web Marketing LLC, to bypass ad-network vetting.
- FlutterShell uses a WebView and JavaScript-to-native bridge so malicious logic can be hosted remotely and changed without rebuilding the app.
- Several variants show active development, increasing obfuscation, and changing command names to evade static analysis and notarization checks.
- Some variants abuse AI summarization workflows by routing document content through attacker-controlled servers first, enabling data exfiltration alongside the summary output.
MITRE Techniques
- [T1218 ] System Binary Proxy Execution â The malware leverages legitimate system utilities like Chrome and update-related flows to carry out its activity and relaunch altered apps (âkillall âGoogle Chromeââ and âopen command on the staged app bundleâ).
- [T1059.007 ] JavaScript â The payload stores and executes malicious logic in remote JavaScript loaded by the WebView bridge (âthe malicious logic is stored on the attackersâ websiteâ and âJSON-formatted commandsâ).
- [T1027 ] Obfuscated Files or Information â Variants increasingly obfuscate strings and symbols to hinder analysis (âsome of its strings obfuscatedâ and âused Flutterâs native âobfuscate flagâ).
- [T1105 ] Ingress Tool Transfer â The malware retrieves configuration and update logic from attacker-controlled web endpoints (âretrieve the core malicious logic from external endpoints: /getConfig and /getUpdateThanksConfigâ).
- [T1021.003 ] Remote Services: SMB/Windows Admin Shares â Not mentioned.
- [T1222.001 ] File and Directory Permissions Modification: File System Permissions â The malware reads and writes files in sensitive locations such as Chrome preferences and the Downloads directory (âmodifies Google Chrome configuration filesâ and âread and write to files in the userâs Downloads directoryâ).
- [T1114 ] Email Collection â Not mentioned.
- [T1056 ] Input Capture â Not mentioned.
- [T1041 ] Exfiltration Over C2 Channel â The malware forwards document content through attacker infrastructure before AI processing (âforwards the content to the attackersâ C2 serverâ for summarization).
- [T1071.001 ] Web Protocols â The malware communicates with attacker infrastructure over HTTP(S) endpoints and website content (âHTTP GET requestâ and âloads the attackersâ websiteâ).
- [T1583.006 ] Acquire Infrastructure: Web Services â The attackers use Google Ads and shell-company infrastructure to distribute the malware (âdistributed via hundreds of Google-verified advertisementsâ).
- [T1036 ] Masquerading â The applications pose as legitimate podcast players and PDF viewers (âmasquerade as legitimate softwareâ).
- [T1543.002 ] Create or Modify System Process: System Process â The malware forcefully terminates and relaunches Chrome and swaps app versions during updates (âforces Chrome to connectâ and âprogrammatically executes the open commandâ).
- [T1204 ] User Execution â User interaction can trigger loading of the malicious pages through About or Update buttons (âWhen the targeted user clicks the About or Update buttonsâ).
Indicators of Compromise
- [SHA256 ] Malicious macOS installers and binaries for the three FlutterShell variants â 021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845, 363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34, and 2 more hashes
- [File names ] Malicious app bundles and DMG installers â PodcastsLounge.dmg, podcasts_lounge.app, PDF-Brain.dmg, PDF-Brain.app, PDF-Ninja.dmg, PDF-Ninja.app
- [Domains ] C2 and adware infrastructure â atsheisdomestic[.]org, etoftheappyrince[.]org, healightejustb[.]org, and sinterfumesco[.]com
- [URLs ] Malicious web content and update endpoints â hxxps[:]//atsheisdomestic[.]org/update-thanks.html, hxxps[:]//etoftheappyrince[.]org/update-delay, hxxps[:]//healightejustb[.]org/checkupdateTO.js
- [Shell commands ] Host fingerprinting and browser hijacking activity â ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID | sed âs/.*âIOPlatformUUIDâ = â//; s/â//gâ, killall âGoogle Chromeâ
- [Package / bundle identifiers ] Malware app identifiers observed in variants â com.app.podcastsLounge, com.app.pdfBrain, com.pdfninja.app
- [Developer IDs ] Signed malicious apps â Yasar Sever (UBZDAAV97Y), Batuhan Dabag (FW9NHQ8922), Yusuf Bal (B73CHZ24Y8)
- [Actor-related websites ] Prior infrastructure linked to shell entities â ads-parkpro[.]com, adsparkpro[.]top, adsparkpro[.]net, softwe[.]art
Read more: https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/