logo

Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

ID: 76f36fff-28a4-5a11-9c2e-f1432779a394

STIX ID: report--76f36fff-28a4-5a11-9c2e-f1432779a394

Feed Name: Palo Alto Networks Unit 42

Threat Score
78/100

Date Published: 2026-06-02

Date Updated: 2026-06-03

Author: Ido Asher, Noa Dekel and Tom Fakterman

...
...

Operation FlutterBridge is an active global malvertising campaign that uses hundreds of Google-verified advertisements and shell companies to distribute FlutterShell — a notarized macOS application built with the Flutter framework that loads malicious JavaScript from attacker-controlled sites via a WebView JavaScript-to-native bridge. FlutterShell functions as adware and a full backdoor (arbitrary shell execution, file system manipulation, environment harvesting) and can exfiltrate document contents by proxying them through an attacker-controlled AI summarization endpoint; the report includes technical analysis, variant evolution, indicators of compromise (hashes and domains), and recommended mitigations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.