Malicious Ads Target macOS Users with FlutterShell Backdoor

This report details Operation FlutterBridge, a large-scale malvertising campaign using Google Ads to distribute a macOS backdoor named FlutterShell. The malware, built with the Flutter framework and a WebView-based JS-to-native bridge, dynamically loads malicious logic from attacker-controlled servers and provides backdoor capabilities (remote shell execution, file access, environment-data exfiltration) while also performing browser-hijacking for ad fraud. Samples were signed with valid Apple Developer IDs and notarized at distribution time, complicating detection; the campaign leverages shell companies for advertiser accounts and shows ties to other cross-platform adware families, indicating a coordinated, evolving operation.