FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads

Palo Alto Networks Unit 42 describes Operation FlutterBridge, a malvertising campaign targeting macOS users in multiple countries that delivers FlutterShell — a notarized, Flutter-based payload combining adware, backdoor, and data-theft capabilities. The attackers (CL-CRI-1089) use Google/YouTube ads served via shell companies to lure victims into trojanized desktop apps; FlutterShell leverages a WebView JavaScript-to-native bridge to host and change malicious logic remotely, with multiple active variants (PodcastsLounge, PDF-Brain, PDF-Ninja) observed as recently as March 2026.