Hackers Deploy FlutterShell Backdoor Through Malvertising Campaigns

Researchers tracked a financially motivated campaign (Operation FlutterBridge) in which the CL-CRI-1089 cluster distributes a notarized macOS backdoor named FlutterShell via malicious desktop apps promoted through large Google Ads purchases; the malware uses a Flutter WebView and a JavaScript-to-native bridge to fetch remote malicious scripts, avoid static detection, and perform actions including Chrome search-provider hijacking, with multiple SHA256 indicators provided.