Operation FlutterBridge macOS Malvertising Campaign Spreads ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/
• Blog Title: Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
• Suggested Section: macOS Security & Privilege Escalation -> macOS Apps - Inspecting, debugging and Fuzzing / macOS Process Abuse; also consider adding notes under macOS Files, Folders, Binaries & Memory -> macOS Installers Abuse for Sparkle updater abuse, and Reversing Tools & Basic Methods for Flutter/Dart reverse engineering with blutter

🎯 Content Summary

Overview

Unit 42 analyzes Operation FlutterBridge, a macOS malvertising campaign attributed to CL-CRI-1089, a financially motivated cybercrime cluster active since at least 2023. The campaign is described as the next stage of the earlier JSCoreRunner/FileRipple macOS activity first identified in August 2025. The new payload is named FlutterShell: a macOS malware/backdoor family built with Flutter/Dart and delivered as trojanized but functional deskto...

🔧 Technical Details

Dynamic WebView backdoor with a JavaScript-to-native bridge: A signed native application can hide malicious behavior by loading attacker-controlled web content in a WebView and exposing a native bridge such as flutterInvoke. Remote JavaScript sends JSON commands into the native layer, which maps them to local functions such as command execution, file read/write, directory enumeration and environment-variable collection. This separates malicious logic from the binary, making static analysis less effective and allowing attackers to change behavior at /getConfig, /getUpdateThanksConfig or similar endpoints without shipping a new binary.

Delayed payload activation for sandbox evasion: Malware can avoid short-lived sandboxes by asking C2 for a delay before loading the malicious WebView. FlutterShell requests [attacker_domain]/api/update-delay, defaults to 600 seconds if unreachable, defaults to 120...

🤖 Agent Actions

Done.

Updated:

• src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md

Added:

• macOS-specific Flutter/Dart triage for WebView-to-native bridge abuse
• hunting tips for remote config endpoints and fake-benign command names
• Sparkle silent update abuse triage
• Chrome Secure Preferences hijack indicators from decoy apps
• references to the Unit 42 post, blutter, and Sparkle

Validation:

• Diff reviewed successfully
• mdbook build could not be executed because mdbook is not installed in this environment (/bin/bash: mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/

Content Categories: Based on the analysis, this content was categorized under "macOS Security & Privilege Escalation -> macOS Apps - Inspecting, debugging and Fuzzing / macOS Process Abuse; also consider adding notes under macOS Files, Folders, Binaries & Memory -> macOS Installers Abuse for Sparkle updater abuse, and Reversing Tools & Basic Methods for Flutter/Dart reverse engineering with blutter".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0