Find notable cyber news and cases, enriched with sources, timelines, and signals.

CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A macOS malvertising campaign is delivering FlutterShell through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across the U.S., Canada, Australia, France, and Germany. The operation is tracked as CL-CRI-1089 and Operation FlutterBridge, and it has been active since at least 2023. Recent detections as of March 2026 show the activity remains ongoing and adaptive. The payload can execute shell commands, manipulate files, steal browser session data, and redirect traffic through attacker-controlled infrastructure.

Related Happenings

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
H score33 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT*...

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A JINX-0164 campaign is targeting cryptocurrency firms and developers with LinkedIn recruiter lures, a fake meeting-and-fix workflow, and macOS malware to steal cr...

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
H score22 First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: MiningDropper (BeatBanker) now stands out as a layered modular Android malware framework that can reuse one delivery chain across hundreds of samples, making static...

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
H score29 First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The Venom Stealer malware-as-a-service platform has been identified as a credential-theft threat that keeps exfiltrating data after infection, extending the window for...

Timeline

  1. 04.06.2026 14:19 2 articles · 1mo ago

    Initial report: CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign

    Initial Disclosure

    The early phase centered on malicious Google and YouTube ads that lured macOS users into installing trojanized desktop applications. That delivery path later expanded into FlutterShell, a backdoor with browser-hijacking and file-access capabilities.

    Show sources