Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems

Unit 42 tracked Operation FlutterBridge, a global malvertising campaign using hundreds of verified Google Ads accounts to push notarized macOS applications (PodcastsLounge, PDF-Brain, PDF-Ninja) that install a backdoor named FlutterShell. The backdoor leverages a WebView to fetch remote attack logic (flutterInvoke), gives attackers full remote control, silently modifies Chrome settings and exfiltrates data (including via an AI summarization feature), and includes multiple active C2 domains and SHA256 IoCs.