Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A macOS malvertising campaign is delivering FlutterShell through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across the U.S., Canada, Australia, France, and Germany. The operation is tracked as CL-CRI-1089 and Operation FlutterBridge, and it has been active since at least 2023. Recent detections as of March 2026 show the activity remains ongoing and adaptive. The payload can execute shell commands, manipulate files, steal browser session data, and redirect traffic through attacker-controlled infrastructure.

Related Happenings

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...

Open Happening

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Open Happening

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Timeline

  1. 04.06.2026 14:19 2 articles · 3h ago

    Initial report: CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign

    Initial Disclosure

    The early phase centered on **malicious Google and YouTube ads** that lured macOS users into installing trojanized desktop applications. That delivery path later expanded into **FlutterShell**, a backdoor with browser-hijacking and file-access capabilities.

    Show sources
    Open in new tab