Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems
Cybersecurity NewsArchived Jun 05, 2026✓ Full text saved
A new and rapidly spreading malware campaign is putting macOS users at serious risk. Threat actors are using Google Ads to push fake desktop applications that secretly install a powerful backdoor on infected machines. The campaign, dubbed Operation FlutterBridge, marks a sharp escalation in tactics from financially motivated attackers who have been active since at […] The post Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems
By Tushar Subhra Dutta
June 4, 2026
A new and rapidly spreading malware campaign is putting macOS users at serious risk. Threat actors are using Google Ads to push fake desktop applications that secretly install a powerful backdoor on infected machines.
The campaign, dubbed Operation FlutterBridge, marks a sharp escalation in tactics from financially motivated attackers who have been active since at least 2023.
The malware at the center of this campaign is called FlutterShell, a backdoor built using Google’s Flutter framework. It is designed to look and feel like a real application while quietly running malicious code in the background.
What makes FlutterShell particularly dangerous is that it goes beyond basic spying. It gives attackers full remote control over the infected system, including the ability to execute commands, read and write files, and steal sensitive data.
Researchers from Unit 42, the threat intelligence division of Palo Alto Networks, identified and tracked this campaign under the activity cluster CL-CRI-1089.
Unit 42 said in a report shared with Cyber Security News (CSN) that the attackers have been spreading malware via malvertising since at least 2023, targeting both Windows and macOS users through separate, ongoing operations.
WebView architecture to native OS code execution graph (Source – Unit42)
The campaign uses hundreds of verified Google Ads accounts tied to shell companies to distribute the malware at scale.
Ads were crafted to appear legitimate and reached a broad global audience, with a focus on English-speaking countries and Western European markets including France and Germany. Google confirmed it suspended the advertiser accounts after being notified by Unit 42.
What sets FlutterBridge apart from earlier operations is how aggressively the attackers adapted.
When one shell company, AdsParkPro LTD, was removed from Google Ads in January 2026, the actors resurfaced just two weeks later under a new verified account and released a fresh malware variant.
Hackers Use Malicious Ads
FlutterShell uses a clever architecture that keeps its malicious code off the device entirely. Instead of embedding harmful instructions in the app binary, the malware loads a remote webpage through a built-in browser component called a WebView.
That webpage contains the actual attack logic, sent as commands over a channel named flutterInvoke. This design lets attackers change what the malware does at any moment, without updating the app itself.
Three distinct versions of FlutterShell were identified during the investigation. The first posed as a podcast player called PodcastsLounge, while the two later versions appeared as PDF viewers named PDF-Brain and PDF-Ninja.
PodcastsLounge delivery website (left) and PDF-Brain delivery website (right) (Source – Unit42)
All three were fully functional applications, making it extremely hard for users to notice anything suspicious. At the time of analysis, all three had zero detections on VirusTotal and had passed Apple’s notarization process with valid developer IDs.
Once installed, the malware fingerprints the machine and then targets Google Chrome. It modifies Chrome’s settings file to redirect every new tab and search query to an attacker-controlled site loaded with ads.
The process is completely silent and users see no warning. The PDF-Brain and PDF-Ninja versions also weaponized an AI summarization feature, secretly routing document content through attacker servers before delivering results to the user.
The Evolving Infrastructure Behind CL-CRI-1089
The shell companies powering this ad campaign showed clear signs of fraud infrastructure. All had minimal online presence, templated websites, and were led by Ukrainian nationals with no verifiable professional history.
Investigators found the companies were registered roughly a year before their first ad spend, a tactic to age the accounts and slip past early fraud detection filters.
Tracking Advantage Web Marketing LLC advertisements in Google Ads Transparency Center (Source – Unit42)
The connection to earlier campaigns ran deep. FlutterShell shares its core command structure with a previously documented macOS malware called JSCoreRunner, including functions for executing commands, reading files, and listing directories.
The key difference is that JSCoreRunner embedded its logic statically in the binary, while FlutterShell retrieves it dynamically, making detection far more difficult.
Security teams are advised to block the known C2 domains and monitor for suspicious changes to Chrome’s Secure Preferences file.
Watching for the IOPlatformUUID fingerprinting command and unexpected Chrome process restarts with custom launch arguments can help identify infected systems before further damage is done.
Indicators of Compromise (IoCs):-
Type Indicator Description
SHA256 021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845 PodcastsLounge.dmg — DMG installer for malicious PodcastsLounge app
SHA256 363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34 podcasts_lounge.app — Main executable, Developer ID: Yasar Sever (UBZDAAV97Y)
SHA256 8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109 Dynamic library (dylib) associated with PodcastsLounge
SHA256 644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70 PDF-Brain.dmg — DMG installer for malicious PDF-Brain app
SHA256 9053e8ddaecca1f960c041c944ca8799fc71dc86a4b50d2639ee4e0d2cb82f47 PDF-Brain.app — Main executable, Developer ID: Batuhan Dabag (FW9NHQ8922)
SHA256 b60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea Dynamic library (dylib) associated with PDF-Brain
SHA256 9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de PDF-Ninja.dmg — DMG installer for malicious PDF-Ninja app
SHA256 30448686ec900d5213d74f08f0d2b7924c5336a29445b2a434aba8d8b19d7530 PDF-Ninja.app — Main executable, Developer ID: Yusuf Bal (B73CHZ24Y8)
SHA256 48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745 Dynamic library (dylib) associated with PDF-Ninja
Domain atsheisdomestic[.]org PodcastsLounge C2 domain
URL hxxps[:]//atsheisdomestic[.]org/update-thanks.html PodcastsLounge C2 payload URL
Domain etoftheappyrince[.]org PDF-Brain C2 domain
URL hxxps[:]//etoftheappyrince[.]org/update-delay PDF-Brain C2 delay endpoint
Domain healightejustb[.]org PDF-Ninja C2 domain
URL hxxps[:]//healightejustb[.]org/checkupdateTO.js PDF-Ninja C2 update script
Domain sinterfumesco[.]com Attacker-controlled adware redirect site
Domain ads-parkpro[.]com Website previously associated with AdsParkPro LTD
Domain adsparkpro[.]top Website previously associated with AdsParkPro LTD
Domain adsparkpro[.]net Website previously associated with AdsParkPro LTD
Domain softwe[.]art Website associated with SOFT WE ART LIMITED
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Fake Claude Code Installer Via Google Sites Delivers Credential-Stealing Malware
Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository
Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection
Acer Working to Patch Wave 7 Router 0-day Vulnerability
Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages
Latest News
Cyber Security News
IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets
Cyber Security News
Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials
Cyber Security News
CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks
Cyber Security
Anthropic’s Claude Oceanus-v1-p Opens to Red Team Testing, but Distribution is Compromised
Cyber Security News
Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks