A new and rapidly spreading malware campaign is putting macOS users at serious risk. Threat actors are using Google Ads to push fake desktop applications that secretly install a powerful backdoor on infected machines.
The campaign, dubbed Operation FlutterBridge, marks a sharp escalation in tactics from financially motivated attackers who have been active since at least 2023.
The malware at the center of this campaign is called FlutterShell, a backdoor built using Google’s Flutter framework. It is designed to look and feel like a real application while quietly running malicious code in the background.
What makes FlutterShell particularly dangerous is that it goes beyond basic spying. It gives attackers full remote control over the infected system, including the ability to execute commands, read and write files, and steal sensitive data.
Researchers from Unit 42, the threat intelligence division of Palo Alto Networks, identified and tracked this campaign under the activity cluster CL-CRI-1089.
Unit 42 said in a report shared with Cyber Security News (CSN) that the attackers have been spreading malware via malvertising since at least 2023, targeting both Windows and macOS users through separate, ongoing operations.
The campaign uses hundreds of verified Google Ads accounts tied to shell companies to distribute the malware at scale.
Ads were crafted to appear legitimate and reached a broad global audience, with a focus on English-speaking countries and Western European markets including France and Germany. Google confirmed it suspended the advertiser accounts after being notified by Unit 42.
What sets FlutterBridge apart from earlier operations is how aggressively the attackers adapted.
When one shell company, AdsParkPro LTD, was removed from Google Ads in January 2026, the actors resurfaced just two weeks later under a new verified account and released a fresh malware variant.
Hackers Use Malicious Ads
FlutterShell uses a clever architecture that keeps its malicious code off the device entirely. Instead of embedding harmful instructions in the app binary, the malware loads a remote webpage through a built-in browser component called a WebView.
That webpage contains the actual attack logic, sent as commands over a channel named flutterInvoke. This design lets attackers change what the malware does at any moment, without updating the app itself.
Three distinct versions of FlutterShell were identified during the investigation. The first posed as a podcast player called PodcastsLounge, while the two later versions appeared as PDF viewers named PDF-Brain and PDF-Ninja.
All three were fully functional applications, making it extremely hard for users to notice anything suspicious. At the time of analysis, all three had zero detections on VirusTotal and had passed Apple’s notarization process with valid developer IDs.
Once installed, the malware fingerprints the machine and then targets Google Chrome. It modifies Chrome’s settings file to redirect every new tab and search query to an attacker-controlled site loaded with ads.
The process is completely silent and users see no warning. The PDF-Brain and PDF-Ninja versions also weaponized an AI summarization feature, secretly routing document content through attacker servers before delivering results to the user.
The Evolving Infrastructure Behind CL-CRI-1089
The shell companies powering this ad campaign showed clear signs of fraud infrastructure. All had minimal online presence, templated websites, and were led by Ukrainian nationals with no verifiable professional history.
Investigators found the companies were registered roughly a year before their first ad spend, a tactic to age the accounts and slip past early fraud detection filters.
The connection to earlier campaigns ran deep. FlutterShell shares its core command structure with a previously documented macOS malware called JSCoreRunner, including functions for executing commands, reading files, and listing directories.
The key difference is that JSCoreRunner embedded its logic statically in the binary, while FlutterShell retrieves it dynamically, making detection far more difficult.
Security teams are advised to block the known C2 domains and monitor for suspicious changes to Chrome’s Secure Preferences file.
Watching for the IOPlatformUUID fingerprinting command and unexpected Chrome process restarts with custom launch arguments can help identify infected systems before further damage is done.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845 | PodcastsLounge.dmg — DMG installer for malicious PodcastsLounge app |
| SHA256 | 363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34 | podcasts_lounge.app — Main executable, Developer ID: Yasar Sever (UBZDAAV97Y) |
| SHA256 | 8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109 | Dynamic library (dylib) associated with PodcastsLounge |
| SHA256 | 644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70 | PDF-Brain.dmg — DMG installer for malicious PDF-Brain app |
| SHA256 | 9053e8ddaecca1f960c041c944ca8799fc71dc86a4b50d2639ee4e0d2cb82f47 | PDF-Brain.app — Main executable, Developer ID: Batuhan Dabag (FW9NHQ8922) |
| SHA256 | b60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea | Dynamic library (dylib) associated with PDF-Brain |
| SHA256 | 9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de | PDF-Ninja.dmg — DMG installer for malicious PDF-Ninja app |
| SHA256 | 30448686ec900d5213d74f08f0d2b7924c5336a29445b2a434aba8d8b19d7530 | PDF-Ninja.app — Main executable, Developer ID: Yusuf Bal (B73CHZ24Y8) |
| SHA256 | 48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745 | Dynamic library (dylib) associated with PDF-Ninja |
| Domain | atsheisdomestic[.]org | PodcastsLounge C2 domain |
| URL | hxxps[:]//atsheisdomestic[.]org/update-thanks.html | PodcastsLounge C2 payload URL |
| Domain | etoftheappyrince[.]org | PDF-Brain C2 domain |
| URL | hxxps[:]//etoftheappyrince[.]org/update-delay | PDF-Brain C2 delay endpoint |
| Domain | healightejustb[.]org | PDF-Ninja C2 domain |
| URL | hxxps[:]//healightejustb[.]org/checkupdateTO.js | PDF-Ninja C2 update script |
| Domain | sinterfumesco[.]com | Attacker-controlled adware redirect site |
| Domain | ads-parkpro[.]com | Website previously associated with AdsParkPro LTD |
| Domain | adsparkpro[.]top | Website previously associated with AdsParkPro LTD |
| Domain | adsparkpro[.]net | Website previously associated with AdsParkPro LTD |
| Domain | softwe[.]art | Website associated with SOFT WE ART LIMITED |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
