Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

What Happened

Attackers are using malicious Google Ads to trick Mac users into downloading fake applications like podcast players and PDF viewers. Once installed, these apps secretly install a backdoor called FlutterShell, which hijacks Google Chrome to show unwanted ads and can give attackers full control over the infected computer. This is dangerous because the malware bypasses standard Apple security checks and can silently update itself with new malicious features. Users should be cautious when clicking on search engine ads and only download software from trusted sources or official app stores.

Key Takeaways

• The CL-CRI-1089 threat cluster is distributing a new macOS backdoor named FlutterShell via widespread Google Ads malvertising.
• FlutterShell uses a WebView-based architecture with a JavaScript-to-native bridge to dynamically load malicious logic, bypassing static analysis.
• The malware masquerades as legitimate, Apple-notarized applications (e.g., PodcastsLounge, PDF-Brain) to evade initial security checks.
• Primary observed activity is browser hijacking via modifications to Google Chrome's Secure Preferences, but the malware possesses full arbitrary command execution capabilities.
• FlutterShell abuses the Sparkle update framework to silently download and execute updated payloads without requiring user interaction.

Affected Systems

• macOS
• Google Chrome

Attack Chain

The attack begins with a user clicking a malicious Google Ad that downloads a masqueraded macOS application (e.g., a podcast player or PDF viewer). Upon execution, the Flutter-based malware waits for a C2-specified delay before loading a hidden WebView that fetches malicious JavaScript. This JavaScript uses a bridge to invoke native Dart functions, allowing the malware to fingerprint the system, modify Google Chrome's Secure Preferences file to hijack search traffic, and establish a backdoor. The malware also abuses the Sparkle update framework to silently download and execute updated payloads without user interaction.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide explicit detection rules, but notes that Palo Alto Networks Cortex XDR and Advanced WildFire provide coverage for the described behaviors and indicators.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions on macOS can monitor process execution (like ioreg and killall), file modifications (Chrome Secure Preferences), and network connections from unusual applications. Network Visibility: Medium — C2 traffic is HTTPS, limiting payload inspection, but DNS requests to known malicious domains or unusual beaconing patterns can be detected. Detection Difficulty: Moderate — The malware uses valid Apple Developer signatures and dynamic payload delivery via WebView, making static analysis difficult. However, its behavioral footprint (modifying Chrome preferences, running ioreg) is relatively noisy.

Required Log Sources

• Process Execution Logs
• File Integrity Monitoring
• DNS Logs
• Network Flow Logs

Hunting Hypotheses

Control Gaps

• Apple Notarization Process
• Google Ads Vetting
• Static AV Scanning (due to Flutter obfuscation)

Key Behavioral Indicators

• Process tree showing a non-standard app spawning 'sh' to run 'ioreg'
• Chrome launched with crash-suppression flags
• Modifications to Chrome Secure Preferences by non-browser processes

False Positive Assessment

• Low. The specific combination of Chrome crash-suppression flags, UUID fingerprinting via ioreg, and the provided IOCs are highly indicative of malicious activity.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the identified C2 and adware domains (e.g., atsheisdomestic[.]org, sinterfumesco[.]com) at the network perimeter.
• Search endpoint telemetry for the provided SHA256 hashes and isolate any macOS hosts where these files are found.

Infrastructure Hardening

• Evaluate whether application allowlisting can be enforced on macOS endpoints to prevent the execution of unapproved software, even if notarized.
• Consider implementing DNS filtering to block newly registered or uncategorized domains often used in malvertising campaigns.

User Protection

• If your EDR supports it, consider creating behavioral rules to alert on processes modifying browser Secure Preferences files.
• Evaluate deploying ad-blocking extensions to enterprise browsers to reduce the risk of users clicking on malicious advertisements.

Security Awareness

• Consider updating security awareness training to highlight the risks of downloading software from search engine advertisements.
• Remind users to only download applications from official vendor websites or the Mac App Store.

MITRE ATT&CK Mapping

• T1583.008 - Acquire Infrastructure: Malvertising
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1553.002 - Subvert Trust Controls: Code Signing
• T1189 - Drive-by Compromise
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1112 - Modify Registry
• T1082 - System Information Discovery
• T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

• Domains:
  • ads-parkpro[[.]]com - Website previously associated with the AdsParkPro LTD shell company.
  • adsparkpro[[.]]top - Website previously associated with the AdsParkPro LTD shell company.
  • adsparkpro[[.]]net - Website previously associated with the AdsParkPro LTD shell company.
  • softwe[[.]]art - Website associated with the SOFT WE ART shell company.
• Urls:
  • hxxps://atsheisdomestic[.]org/update-thanks.html - PodcastsLounge C2 URL for fetching malicious JavaScript.
  • hxxps://etoftheappyrince[.]org/update-delay - PDF-Brain C2 URL for fetching execution delay duration.
  • hxxps://healightejustb[.]org/checkupdateTO.js - PDF-Ninja C2 URL for fetching malicious JavaScript.
• File Hashes:
  • 021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845 (sha256) - Disk Image (DMG) installer for PodcastsLounge.
  • 8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109 (sha256) - Dynamic library (dylib) associated with PodcastsLounge.
  • 644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70 (sha256) - Disk Image (DMG) installer for PDF-Brain.
  • b60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea (sha256) - Dynamic library (dylib) associated with PDF-Brain.
  • 9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de (sha256) - Disk Image (DMG) installer for PDF-Ninja.
  • 48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745 (sha256) - Dynamic library (dylib) associated with PDF-Ninja.
• File Paths:
  • /Users/$USER$/Library/Application Support/Google/Chrome/Profile 1/Secure Preferences - Google Chrome configuration file targeted for browser hijacking.
  • /Users/$USER$/Library/Application Support/Google/Chrome/Default/Secure Preferences - Google Chrome configuration file targeted for browser hijacking.
  • /Users/$USER$/Library/Application Support/Google/Chrome/Profile 2/Secure Preferences - Google Chrome configuration file targeted for browser hijacking.
  • $HOME/Library/Caches/com.app.[appname]/org.sparkle-project.Sparkle/Installation/ - Directory used by FlutterShell to stage silent updates via the Sparkle framework.
• Command Lines:
  • Purpose: System fingerprinting to extract the hardware UUID. | Tools: ioreg, grep, sed, sh | Stage: Discovery | ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID
  • Purpose: Forcefully terminate Google Chrome to apply hijacked settings. | Tools: killall | Stage: Defense Evasion | killall "Google Chrome"
  • Purpose: Relaunch Google Chrome with hijacked URL and flags to suppress crash warnings. | Tools: Google Chrome | Stage: Impact