Cybersecurity researchers have shed light on a macOS malvertising campaign codenamed Operation FlutterBridge that spreads a new backdoor called FlutterShell.

According to Palo Alto Networks Unit 42, the campaign is said to be the next stage of a previously reported activity cluster dubbed JSCoreRunner (aka FileRipple) in late August 2025. The cybercrime group behind the two attack chains is being tracked under the moniker CL-CRI-1089. The attackers are assessed to be active since at least 2023.

“Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications,” Unit 42 said. “In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation.”