{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cortex-agentix-threat-intel-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["CL-CRI-1089"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chrome","Advanced WildFire","Advanced URL Filtering and Advanced DNS Security","Cortex Agentix Threat Intel Agent","Cortex XDR","Cortex XSIAM"],"_cs_severities":["high"],"_cs_tags":["malvertising","macos","backdoor"],"_cs_type":"threat","_cs_vendors":["Google","Apple","Palo Alto Networks"],"content_html":"\u003cp\u003eOperation FlutterBridge is a malvertising campaign targeting macOS users, observed since late 2025 as an expansion of the JSCoreRunner campaign. The financially motivated attackers behind CL-CRI-1089 transitioned from delivering adware to adware with backdoor capabilities. This campaign distributes FlutterShell, a macOS backdoor built using the Flutter framework. FlutterShell infects targets with adware via malicious desktop applications and possesses backdoor capabilities, including shell command execution, file system manipulation, and environment variable exfiltration. Some variants use AI summarization features for data exfiltration. The campaign targets a global audience, emphasizing Anglophone and Western European markets, through Google Ads, using shell companies to bypass ad-network vetting.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker deploys malicious advertisements using a network of Google-verified shell companies.\u003c/li\u003e\n\u003cli\u003eThe user is tricked into downloading a DMG installer masquerading as a legitimate application (podcast player or PDF viewer).\u003c/li\u003e\n\u003cli\u003eThe DMG is opened, and the application bundle is installed.\u003c/li\u003e\n\u003cli\u003eThe application, signed with a valid Apple Developer ID and notarized, executes.\u003c/li\u003e\n\u003cli\u003eFlutterShell waits for a duration received from the C2 server before contacting the attackers\u0026rsquo; website.\u003c/li\u003e\n\u003cli\u003eThe application loads malicious JavaScript code from the attacker\u0026rsquo;s website using a WebView-based architecture.\u003c/li\u003e\n\u003cli\u003eThe JavaScript-to-native bridge is used to execute commands and manipulate the file system.\u003c/li\u003e\n\u003cli\u003eThe malware modifies Google Chrome configuration files to hijack the browser, forcing traffic through an ad-filled intermediary site, and in some variants exfiltrates documents through an attacker-controlled server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOperation FlutterBridge targets a global audience, emphasizing Anglophone and Western European markets. Successful attacks lead to adware infection, unauthorized command execution, file system manipulation, and potential data exfiltration via AI summarization features. The attackers use shell companies to bypass ad network vetting, indicating a well-resourced and persistent threat. The use of valid Apple Developer IDs and notarization helps the malware evade initial detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation for applications signed by the identified Developer IDs (UBZDAAV97Y, FW9NHQ8922, B73CHZ24Y8) associated with FlutterShell to detect potentially malicious applications executing on macOS, as indicated in the IOC section.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to the C2 domains listed in the IOC section, blocking those connections to prevent further communication from infected hosts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting the creation of files by processes with the identified Bundle IDs to identify possible post-exploitation activity.\u003c/li\u003e\n\u003cli\u003eMonitor DNS requests for the listed domains and URLs within your network as a high fidelity indicator of compromise and C2 activity (IOC section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-02T10:11:08Z","date_published":"2026-06-02T10:11:08Z","id":"https://feed.craftedsignal.io/briefs/2026-06-operation-flutterbridge/","summary":"Operation FlutterBridge is a malvertising campaign targeting macOS users with the new FlutterShell backdoor, which uses malicious desktop applications for adware distribution and provides backdoor capabilities such as command execution and file system manipulation, with some variants using AI summarization for data exfiltration.","title":"Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-06-operation-flutterbridge/"}],"language":"en","title":"CraftedSignal Threat Feed — Cortex Agentix Threat Intel Agent","version":"https://jsonfeed.org/version/1.1"}