Cybersecurity researchers have identified a macOS malvertising campaign called Operation FlutterBridge that is spreading a new backdoor named FlutterShell, with activity detected as recently as March 2026, according to a technical analysis by Palo Alto Networks Unit 42.
KEY FACTS
- Targeted platforms macOS users in the U.S., Canada, Australia, France and Germany.
- Delivery method Malicious Google and YouTube ads led users to trojanized desktop apps.
- Capabilities FlutterShell can execute shell commands, manipulate files and exfiltrate environment variables.
- Technical detail The malware uses a WebView-based design that lets attackers change behavior without rebuilding the binary.
- Variants Researchers identified PodcastsLounge, PDF-Brain and PDF-Ninja.
The report says the campaign is linked to the threat cluster CL-CRI-1089, which the researchers say has been active since at least 2023. It also describes the operation as the next stage of a previously reported macOS activity cluster known as JSCoreRunner, also called FileRipple.
According to the disclosure, the attackers used a network of Google-verified shell companies to run the ads. Some of the entities named in the report include AdsParkPro LTD, Advantage Web Marketing LLC and SOFT WE ART LIMITED, now called PACIFIC TRADE SOLUTIONS LTD.
The malware was signed with valid Apple Developer IDs and passed notarization, which meant Apple’s automated checks did not flag the samples as malicious at the time of submission. The analysis also says some variants modified Google Chrome configuration files to route traffic through an attacker-controlled intermediary site.
Researchers said two variants, PDF-Brain and PDF-Ninja, included an AI-powered summarization feature that sent documents through an attacker-controlled server before processing. The report also says the malware can fingerprint systems and steal browser session data.
WHY IT MATTERS
The findings show how paid advertising, signed macOS apps and WebView-based malware can combine to bypass routine security checks and reach users. The campaign also suggests the operators are still developing new variants and delivery methods.