The CL-CRI-1089 threat group is executing "Operation FlutterBridge," a macOS malvertising campaign distributing the FlutterShell backdoor via malicious Google Ads. By utilizing the Google Flutter framework, attackers develop applications that undergo Apple's notarization process, successfully bypassing Gatekeeper and traditional antivirus protections. The malware employs a "thin client" architecture, hosting core malicious logic on remote, attacker-controlled servers to evade static analysis. It leverages a hidden WebView combined with a JavaScript-to-native bridge to facilitate remote command execution (RCE) and unauthorized file system access, providing persistent remote control over compromised macOS endpoints.
-
Campaign Overview & Delivery: Malvertising Vector
- Operates under the designation "Operation FlutterBridge," targeting macOS users via malicious Google Ads.
- Distributes trojanized applications disguised as legitimate podcast and PDF utility tools to lure victims.
- Leverages high-visibility search engine results to maximize scale and facilitate large-scale distribution.
-
Technical Mechanics: Framework Weaponization
- Utilizes Google's Flutter architecture to build visually authentic, legitimate-looking applications.
- Exploits the Apple Notarization workflow to obtain digital signatures, effectively neutralizing Gatekeeper.
- Employs framework-specific design patterns to obscure the intent and origin of embedded malicious functions.
-
Evasion & Architecture: The "Thin Client" Design
- Decouples malicious logic from the local binary to bypass traditional static analysis engines.
- Hosts primary payloads on remote, attacker-controlled servers to allow for dynamic instruction execution.
- Employs a hidden WebView and a JavaScript-to-native bridge to bridge the gap between remote commands and local system access.
-
Impact & Threat Actor Profile: CL-CRI-1089 Capabilities
- Attributed to the financially motivated threat actor cluster designated as CL-CRI-1089.
- Enables unauthorized remote command execution (RCE) and comprehensive file system access.
- Provides persistent remote access across macOS fleets, targeting both general users and corporate environments.
-
Defensive Strategy: Detection & Mitigation
- Shifts security focus from static binary analysis to behavioral and network-level monitoring.
- Requires monitoring for anomalous outbound traffic to unverified or suspicious remote C2 endpoints.
- Emphasizes the identification of unexpected WebView activity and unauthorized JavaScript-to-native bridge calls.
Related posts
- techjacksolutions.com — Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems
- Unit 42 Threat Intelligence — Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
- SC Media — Malicious podcast, PDF apps spread FlutterShell macOS backdoor malware
- levelblue.com — Operation FlutterBridge: The FlutterShell macOS Backdoor
- Vcsolutions
- Pcrisk
- Daily
- techjacksolutions.com — FlutterShell Backdoor Weaponizes Flutter's Architecture to Evade Apple Notarization and Hit macOS at Scale
- Broadcom
- Hackread
- Thehackernews