Cybersecurity researchers at Palo Alto Networks’ research division, Unit 42, have reported a large-scale malvertising scam running since late 2025. In this scam, called Operation FlutterBridge, cybercriminals are using fake Google search ads to lure Mac owners into downloading malware.

According to Unit 42’s investigation, hackers first set up fake companies to buy verified Google ads and use them to evade safety checks. When users search for tools, these ads pop up and download apps that look like podcast players or PDF viewers but carry a malicious program named FlutterShell.

Behind this campaign is a cybercrime network called CL-CRI-1089, which research reveals has been active since at least 2023. This group previously used malvertising to target Windows users with fake programs called RecipeLister and Calendaromatic.

However, from August 2025, the network shifted to Apple systems with a campaign known as JSCoreRunner, also called FileRipple. By late 2025, the hackers upgraded to the more dangerous FlutterShell. In their latest scam, researchers caught three different versions between late 2025 and February 2026:

To study how the app worked, Unit 42 used a specialized software tool called blutter.

FlutterShell acts like a mini web browser, loading malicious code directly from the internet. This allows attackers to change what the software does at any moment without updating the app.

At this stage, attackers use this access to hijack web browsers. FlutterShell targets a Google Chrome settings file called Secure Preferences. It forces every new tab or search through an ad-filled website called sinterfumesco.com , and even kills the Chrome process using a system command called killall. It then restarts it with hidden settings to stop Chrome from showing error warnings.

However, the program is actually a backdoor. Researchers noted that FlutterShell has three main capabilities: arbitrary command execution, file system interaction, and environment variable exfiltration. It can run deep system commands and steal files.

Versions 2 and 3 even offer a fake AI tool that summarises documents. When users upload a file, the app sends the entire document straight to the scammers’ servers first. Researchers also feel it is under development.

“We identified several versions of FlutterShell that did not yet contain malicious code. Additionally, an examination of the JavaScript logic hosted on the attackers’ infrastructure revealed multiple unfinished functions. These findings, combined with the frequent appearance of new variants, indicate that the malware is likely under active development,” the blog post reads.

To spread this Mac version, scammers used fake UK and Ukraine-based companies like AdsParkPro LTD and Advantage Web Marketing LLC. These shell businesses had no real history but successfully bought hundreds of Google and YouTube ads.

Researchers further noted that the network also used a shell company named SOFT WE ART LIMITED for their past Windows attacks. Apple’s automated systems didn’t catch the apps at first because the scammers used real developer signatures.

Google has since closed the compromised advertiser accounts and released a statement in response to these findings, stating, “Malware has no place on our platforms, and we’ve suspended these advertiser accounts for violating our policies.”

However, researchers believe that the hackers are fast, often launching new versions under different company names just weeks later.

“The coordination of multiple shell entities, and the rapid development and delivery of new FlutterShell variants, indicates that this campaign is far from over,” researchers concluded.

Your email address will not be published. Required fields are marked *