FlutterShell Malware Spreads on macOS Through Sophisticated Malvertising Campaign Using Fake Google and YouTube Ads

FlutterShell Backdoor Targets macOS Users via Malicious Google and YouTube Ads

Cybersecurity researchers have uncovered an ongoing macOS malvertising campaign, identified as Operation FlutterBridge, that distributes a new backdoor malware known as FlutterShell. The operation is believed to be an evolution of a previously tracked threat cluster called JSCoreRunner (also known as FileRipple), which was first observed in August 2025. The group behind these attacks is tracked as CL-CRI-1089 and has reportedly been active since at least 2023.

Malvertising campaign and distribution method

The attackers rely heavily on malicious advertisements served through Google and YouTube. These ads are promoted using a network of Google-verified shell companies, designed to appear legitimate and bypass ad platform vetting systems. Some of these entities include AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED (now operating as PACIFIC TRADE SOLUTIONS LTD).

These ads primarily target macOS users across the United States, Canada, Australia, France, and Germany. Although many of the associated ad accounts are no longer visible in public transparency tools, corporate records suggest links between these firms and individuals based in Ukraine.

FlutterShell malware capabilities

FlutterShell is built using the Flutter framework and is distributed through malicious desktop applications disguised as legitimate software. Once installed, it combines adware functionality with advanced backdoor features, allowing attackers to:

• Execute arbitrary shell commands
• Manipulate files on the infected system
• Exfiltrate environment variables
• Perform system fingerprinting
• Steal browser session data

A notable behavior of the malware is its ability to hijack Google Chrome by modifying configuration files, forcing all web traffic through attacker-controlled intermediary pages filled with advertisements.

Advanced WebView-based architecture

One of the defining features of FlutterShell is its WebView-based design, which includes a JavaScript-to-native bridge. This architecture enables communication between the embedded web content and the native macOS application, allowing attackers to dynamically control malware behavior remotely.

This design gives the operators the ability to modify malicious functionality in real time without needing to update or recompile the infected application, making detection and mitigation more difficult.

AI-related features and variants

Researchers have identified multiple FlutterShell variants, including PodcastsLounge, PDF-Brain, and PDF-Ninja. Some of these versions incorporate experimental features such as AI-powered document summarization, which sends user documents to attacker-controlled servers for processing before returning results.

These variants also include unfinished code, indicating that the malware is still under active development.

Links to earlier campaigns

FlutterShell shares significant technical overlap with earlier campaigns such as Calendaromatic and Recipe Lister, which are part of a broader activity set known as TamperedChef (also referred to as EvilAI). These campaigns also used trojanized productivity applications to distribute adware and potentially unwanted programs.

Additionally, Advantage Web Marketing LLC has been linked not only to macOS malware distribution but also to Windows-based adware campaigns.

Growing sophistication of CL-CRI-1089

Researchers note that the evolution from JSCoreRunner to FlutterShell demonstrates a clear increase in technical complexity. The use of shell companies, verified developer accounts, and notarized macOS applications allows the malware to bypass Apple’s automated security checks at the time of submission.

Security experts warn that the scale of the malvertising infrastructure, combined with rapid malware iteration and multi-platform targeting, suggests the campaign is ongoing and likely to expand further.