Skip to main content
Emerging ThreatsMalware & Ransomware

Malvertising Campaign Targets macOS with FlutterShell Backdoor

Brightly-lit operation center with multiple workstations and cityscape background, hinting at network infrastructure.

"Malware has no place on our platforms, and we’ve suspended these advertiser accounts for violating our policies," Google said after researchers reported the advertisers behind an expansive malvertising campaign that has been delivering a new macOS backdoor at scale.

CL-CRI-1089: who is running the ads and where they focused

Palo Alto Networks Unit 42 attributes the campaign to a cybercrime cluster it tracks as CL-CRI-1089, active since at least 2023. The cluster distributed malicious macOS applications through an extensive Google Ads operation — described in the report as “hundreds of Google-verified advertisements” — and relied on a network of shell companies to pass ad-network vetting. Unit 42 identified AdsParkPro LTD and Advantage Web Marketing LLC as verified advertisers in the macOS phase, with a third entity, SOFT WE ART LIMITED, tied to earlier Windows activity. The actor concentrated budget in Western European markets (notably France and Germany) and English-speaking regions including the U.S., Canada and Australia.

FlutterShell: a Flutter-built backdoor hiding in functional apps

The payload, named FlutterShell, is a macOS backdoor developed using the Flutter framework and delivered inside apparently legitimate desktop applications — PodcastsLounge, PDF-Brain and PDF-Ninja. The binaries were signed with valid Apple Developer IDs and passed Apple notarization during submission. Unit 42 found the apps fully functional, which concealed background malicious behavior; many observed variants initially registered zero detections on VirusTotal.

Technically, FlutterShell uses a WebView-based architecture and a JavaScript-to-native bridge. Instead of embedding malicious logic in the binary, the application loads JavaScript from attacker-controlled webpages. That remote code is passed over a message channel named flutterInvoke as JSON commands, and the native Dart environment translates those into system calls. Built-in command capabilities include arbitrary shell command execution, file-system interaction and environment-variable exfiltration.

Delivery mechanics, persistence and abuse of update tooling

FlutterShell delays contacting its command-and-control (C2) servers by fetching a runtime delay from [attacker_domain]/api/update-delay; defaults are 600 seconds if unreachable and 1,200 seconds if the server responds with a null value. After the timer expires the app forces itself to the foreground and loads [attacker_domain]/update-thanks.html, which contains the core malicious JavaScript. The malware also loads the attacker site when users click About or Update in the app UI.

The backdoor abuses the Sparkle macOS update framework to silently activate staged updates: it listens for Sparkle’s update-complete callback, checks the Sparkle installation directory in the user cache, programmatically runs the staged app bundle with open, and then forcefully exits the old process so the updated (malicious) binary runs without showing a user approval dialog.

Browser hijacking, AI-enabled exfiltration, and shared infrastructure

Unit 42 observed FlutterShell primarily employed as adware and to hijack Google Chrome. The malware fingerprints the machine by reading IOPlatformUUID and then modifies Chrome’s Secure Preferences file — altering default_search_provider_data url and new_tab_url to the attacker-controlled sinterfumesco[.]com domain. It terminates Chrome using killall and restarts it with arguments that suppress crash UI while forcing an initial connection to the ad-filled intermediary site.

Some variants include an AI summarization capability that doubles as a data-theft mechanism: documents sent for summarization are forwarded to the attackers’ C2 at https://[attacker_domain]/summarize-text, which proxies the request to an AI service while harvesting full document content. Unit 42 also mapped multiple C2 domains (for example, atsheisdomestic[.]org, etoftheappyrince[.]org and healightejustb[.]org) and actor-related domains (ads-parkpro[.]com, adsparkpro[.]net, softwe[.]art).

Links to prior campaigns and Windows artifacts

Unit 42 links FlutterShell to earlier CL-CRI-1089 operations — notably JSCoreRunner (also called FileRipple) and Windows strains RecipeLister and Calendaromatic — through shared distribution points, architecture and a near-identical set of backdoor primitives. The report notes both families use specialized JavaScript-to-native bridges and that six identical core commands appear in both JSCoreRunner and FlutterShell. While Windows builds for the FlutterShell-branded apps existed, Unit 42 observed that, up to early February 2026, the Windows binaries did not contain embedded malicious logic, suggesting a phased deployment strategy.

What this means for Palo Alto Networks customers, Google Ads reviewers, and macOS users

  • Palo Alto Networks customers: Unit 42 lists Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Cortex XDR and XSIAM as protections that identify and block indicators tied to FlutterShell, and notes WildFire models were updated to account for FlutterShell indicators.
  • Google Ads reviewers and platform operators: the campaign demonstrates how verified advertiser status and aged shell corporations can be used to pass vetting; Unit 42 documented a one-year latency between account registration and first ad spend and rapid account switching when listings were removed.
  • macOS users and defenders: infections can arrive inside notarized, signed apps that behave as advertised while loading remote logic; Chrome hijacking and misuse of the Sparkle updater are specific behaviors to monitor for.

Unit 42 concludes that FlutterShell represents an evolution from nuisance adware to a dynamic backdoor, enabled by Flutter’s runtime architecture and remote-hosted logic. The cluster’s rapid variant development, verified ad distribution, and reuse of shell companies indicate the campaign is persistent; Unit 42 states it expects the JavaScript-to-native bridge architecture to be deployed in future campaigns against macOS and Windows.

Original report — Unit 42 / Palo Alto Networks