{"id":263963,"date":"2026-06-04T07:19:00","date_gmt":"2026-06-04T11:19:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/04\/fluttershell-backdoor-spreads-to-macos-via-malicious-google-and-youtube-ads\/"},"modified":"2026-06-04T09:55:45","modified_gmt":"2026-06-04T13:55:45","slug":"fluttershell-backdoor-spreads-to-macos-via-malicious-google-and-youtube-ads","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/04\/fluttershell-backdoor-spreads-to-macos-via-malicious-google-and-youtube-ads\/","title":{"rendered":"FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/fluttershell-backdoor-spreads-to-macos.html\">FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/fluttershell-backdoor-spreads-to-macos.html\">https:\/\/thehackernews.com\/2026\/06\/fluttershell-backdoor-spreads-to-macos.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-04 07:19:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 04, 2026<\/span><\/span><span class=\"p-tags\">Malvertising \/ Browser Security<\/span><\/p>\n<p>Cybersecurity researchers have shed light on a macOS malvertising campaign codenamed Operation FlutterBridge that spreads a new backdoor called FlutterShell.<\/p>\n<p>According to Palo Alto Networks Unit 42, the campaign is said to be the next stage of a previously reported activity cluster dubbed JSCoreRunner (aka FileRipple) in late August 2025. The cybercrime group behind the two attack chains is being tracked under the moniker CL-CRI-1089. The attackers are assessed to be active since at least 2023.<\/p>\n<p>&#8220;Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications,&#8221; Unit 42 said. &#8220;In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation.&#8221;<\/p>\n<p>Operations attributed to CL-CRI-1089 also include Recipe Lister and Calendaromatic, both of which fall under a broader designation known as TamperedChef (aka EvilAI), an ongoing series of campaigns that involve using trojanized versions of productivity software to deliver potentially unwanted programs (PUPs) and adware.<\/p>\n<p>These campaigns distribute malicious Google and YouTube advertisements using a network of Google-verified shell companies, with the ads acting as a lure to trick targets into deploying malware that masquerades as legitimate desktop applications. Some of the front companies are AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED (now PACIFIC TRADE SOLUTIONS LTD).<\/p>\n<p>Target audiences for these ads are macOS users in the U.S., Canada, Australia, France, and Germany. Although none of the Google Ads accounts are currently accessible via the Google Ads Transparency Center, records from YouControl and the U.K. government&#8217;s Companies House register indicate that the firms all have links to Ukrainian individuals.<\/p>\n<p>The latest iteration entails the deployment of FlutterShell, which supports arbitrary command&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/fluttershell-backdoor-spreads-to-macos.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads https:\/\/thehackernews.com\/2026\/06\/fluttershell-backdoor-spreads-to-macos.html Publish Date: 2026-06-04&#8230;<\/p>\n","protected":false},"author":1,"featured_media":263964,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjwFQkJElJQpI5ODTBzh1EzrxsRYamFN0ntC9V6vF4b4FfEJ0svPhI_1TnKm960eIsewSFT-DR1RtNk3M511OQK6I-k3UQNNLut1f_fjM9wB4NHxdvJzJQ3VvhIGO9ja0hNIzRAOZLVMngS4R8hQxXfV-_DO71x0CU0YSnxpclCnV0DGX6TdNmr32ongewk\/s1600\/macos.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,57],"class_list":["post-263963","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/263963"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=263963"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/263963\/revisions"}],"predecessor-version":[{"id":263965,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/263963\/revisions\/263965"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/263964"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=263963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=263963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=263963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}