CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
Campaign
Summary
Hide ▲
Show ▼
A macOS malvertising campaign is delivering FlutterShell through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across the U.S., Canada, Australia, France, and Germany. The operation is tracked as CL-CRI-1089 and Operation FlutterBridge, and it has been active since at least 2023. Recent detections as of March 2026 show the activity remains ongoing and adaptive. The payload can execute shell commands, manipulate files, steal browser session data, and redirect traffic through attacker-controlled infrastructure.
Related Happenings
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT*...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A JINX-0164 campaign is targeting cryptocurrency firms and developers with LinkedIn recruiter lures, a fake meeting-and-fix workflow, and macOS malware to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A JINX-0164 campaign is targeting cryptocurrency firms and developers with LinkedIn recruiter lures, a fake meeting-and-fix workflow, and macOS malware to steal cr...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The SHub Reaper macOS infostealer now uses AppleScript and a fake Apple security update lure to infect Macs, raising the risk of credential theft and remote access. It...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical Analysis
H score22
First: 24.04.2026 14:48
Last: 24.04.2026 14:48
Sources 1
About this happening:
MiningDropper (BeatBanker) now stands out as a layered modular Android malware framework that can reuse one delivery chain across hundreds of samples, making static...
MiningDropper (BeatBanker) modular Android payload framework with encrypted staging
Technical AnalysisAbout this happening: MiningDropper (BeatBanker) now stands out as a layered modular Android malware framework that can reuse one delivery chain across hundreds of samples, making static...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score29
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The Venom Stealer malware-as-a-service platform has been identified as a credential-theft threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The Venom Stealer malware-as-a-service platform has been identified as a credential-theft threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
04.06.2026 14:19 2 articles · 1mo ago
Initial report: CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
Initial DisclosureThe early phase centered on malicious Google and YouTube ads that lured macOS users into installing trojanized desktop applications. That delivery path later expanded into FlutterShell, a backdoor with browser-hijacking and file-access capabilities.
Show sources
- FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads — thehackernews.com — 04.06.2026 14:19
- FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads — thehackernews.com — 04.06.2026 14:19