FlutterShell backdoor spreads via Google, YouTube malvertising
FlutterShell spreads to macOS users through malicious Google and YouTube ads that deliver trojanized desktop apps, hijack Chrome traffic and allow remote command execution.
Palo Alto Networks Unit 42 reports a malvertising campaign called Operation FlutterBridge that has distributed a macOS backdoor named FlutterShell. Targets include users in the U.S., Canada, Australia, France and Germany. Activity was detected as recently as March 2026 and is linked to an earlier cluster tracked as JSCoreRunner or FileRipple and to a group Unit 42 tracks as CL-CRI-1089, active since at least 2023.
The campaign uses malicious Google and YouTube advertisements to direct users to installers that mimic legitimate productivity and media apps. Installed samples change Google Chrome configuration to route browser traffic through an attacker-controlled intermediary site that serves ads. All observed samples were signed with valid Apple Developer IDs and passed Apple notarization checks.
FlutterShell is built with the Flutter framework. It can execute arbitrary shell commands, read and write files, collect environment variables, fingerprint systems and steal browser session data. Unit 42 identified three variants named PodcastsLounge, PDF-Brain and PDF-Ninja.
Unit 42 wrote: “Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications. In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation.”
The backdoor uses a WebView-based design with a JavaScript-to-native bridge. That setup lets operators host malicious logic on external web pages and change malware behavior in real time without updating the native app. The PDF-Brain and PDF-Ninja variants include an AI-based summarization feature that sends documents to an attacker-controlled server before processing. Researchers found incomplete functions in the hosted JavaScript, which indicates the code is under development.
Unit 42 links this campaign to a broader set of operations called TamperedChef or EvilAI, which previously distributed trojanized apps such as Calendaromatic and Recipe Lister using the same malvertising network. Company records in the U.K. Companies House and the YouControl registry show the shell companies used to run the ads – including AdsParkPro LTD, Advantage Web Marketing LLC and SOFT WE ART LIMITED (now PACIFIC TRADE SOLUTIONS LTD) – have ties to Ukrainian individuals. Google Ads accounts connected to the campaign are not visible in the Google Ads Transparency Center at this time.
Unit 42 noted Advantage Web Marketing LLC has also been observed signing Windows adware linked to the same cluster. The analysts recommend users avoid installing software from ads, verify downloads directly from vendor websites and check app signing and notarization. Security teams should monitor Chrome configuration changes and unusual outbound connections to unknown intermediary domains. The technical analysis was prepared by Ido Asher, Noa Dekel and Tom Fakterman.
Articles by this author
