FlutterShell macOS Backdoor Abuses Flutter Framework and WKWebView for Stealthy Attacks

A newly analyzed macOS backdoor called FlutterShell has been quietly targeting Mac users by disguising itself as legitimate productivity apps.

It abuses Google’s Flutter app development framework to blend in with real software, making it far harder to detect using traditional security tools.

The malware was active between December 2025 and March 2026, with researchers tracking three distinct generations of the threat.

The campaign, tracked under the name Operation FlutterBridge and the cluster identifier CL-CRI-1089, spread through malicious Google and YouTube advertisements.

The ads targeted users searching for terms like “podcast app for Mac” or “free PDF converter,” redirecting them to fake sites hosting digitally signed app bundles.

Since the apps carried valid Apple Developer certificates at distribution time, macOS Gatekeeper passed them without raising any warning.

Analysts at LevelBlue, in a report shared with Cyber Security News (CSN), conducted an in-depth static analysis of ten Mach-O binary samples collected across all three generations.

Rather than re-examining the broader campaign, the team focused on what those binaries revealed about the malware’s design, its evolution, and how defenders can reliably detect it as the actor rotates its infrastructure.

At its core, FlutterShell splits its work across two components: a small stub launcher that initializes the Flutter runtime, and a large payload library containing the actual Dart code and attack logic.

The payload library weighs around 10 MB and carries the full Flutter framework alongside custom commands. This structure helps the malware pass basic inspection because the launcher looks nearly identical to any legitimate Flutter application.

What makes FlutterShell especially difficult to catch in automated sandboxes is its C2-conditional design. The malware only activates when it receives live instructions from an attacker-controlled server.

In every sandbox test, the binary launched cleanly, displayed a working app interface, and then produced no activity at all. Without a live server to respond, the malware sits idle and appears completely harmless.

FlutterShell macOS Backdoor Abuses Flutter Framework and WKWebView

The most notable aspect of FlutterShell is how it receives commands from its operators.

Rather than hardcoding instructions in the binary, the malware opens a hidden WKWebView window and loads a page from an attacker-controlled domain.

That page then delivers JavaScript to the app, which passes commands through a named message channel called flutterInvoke.

This design means operators can update what the malware does at any time by simply changing their server content, without touching the binary.

The bridge command was named exec_sync in the first generation, renamed pdf_sync in the second, and became renderPDF in the third, camouflaging activity as normal behavior from a PDF application.

Any detection rule tied to a specific command name will break the moment the actor pushes a server-side update.

Cross-Generation Evasion and Persistence Tactics

What stands out across all three generations is how deliberately the actor rotated its identity. Apple revoked the first developer certificate on December 31, 2025, and a new generation appeared twelve days later with a fresh one.

A second revocation followed on January 31, 2026, and a third generation arrived in March using a self-signed certificate, trading Gatekeeper clearance for independence from Apple’s certificate authority.

Once connected to a live server, FlutterShell is assessed to perform hardware fingerprinting by running a system command that harvests the Mac’s unique hardware identifier.

It then modifies Chrome’s settings to silently swap the default search engine for an attacker-controlled domain, kills Chrome, and relaunches it with flags that hide any crash warning from the user.

Persistence is achieved by staging a replacement bundle in a local cache folder through the Sparkle update mechanism and quietly installing it.

The LevelBlue team recommends prioritizing behavioral endpoint detection over static signatures, since Generation 3 evaded most pattern-based tools after certificate rotation and Dart symbol obfuscation.

Monitoring for non-browser processes making outbound HTTPS connections to unknown domains, unusual child processes harvesting hardware identifiers, and unexpected writes to Chrome’s profile directory are the most reliable detection signals available.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Network Domain	atsheisdomestic.org	Gen 1 C2 domain
Network Domain	etoftheappyrince.org	Gen 2 C2 domain
Network Domain	healightejustb.org	Gen 3 C2 domain
Network Domain	sinterfumesco.com	Chrome search hijack target
SHA-256	363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34	Stub Gen 0
SHA-256	6c3f61d46d4de26b9cb16808bf17c33ae69f651a4b879e7b5612ff7f548e2a82	Stub Gen 1 x86
SHA-256	fc091ddb4d845280aeb7745cfdb6b7cb0013abc35db9e634f055b8e8fb0b5b1e	Stub Gen 1 arm64
SHA-256	134517796178a150a1585672be134169d6877082b598d840baa3f37b0222be26	Dylib Gen 1 x86
SHA-256	cc4f048e66c5ab3c0f1d767bb8fc464d082641f4888ea3cd14ea3775077c4bf2	Dylib Gen 1 arm64
SHA-256	bf90fb31e6024d7e6616f5acd0e8aa28738a9095a508c1a986e1e974cb9e79a0	Dylib Gen 2 x86
SHA-256	32da1437a2734224406c7e5e8d756f0c0cd58c0c959478571cbfc0cd564d018a	Dylib Gen 2 arm64
SHA-256	2c5bc9e95e1e9b73e3ba8870a008802899866a2c0e2e10112aefddf7a96af04e	Dylib Gen 3 x86
SHA-256	f544bfab72d380cc20692d8ec9d31ea666785fe225dccd55beab29a3c0fdfad2	Dylib Gen 3 arm64
Team ID	UBZDAAV97Y	Revoked Apple Developer certificate, Gen 0–1
Team ID	FW9NHQ8922	Revoked Apple Developer certificate, Gen 2
Team ID	B73CHZ24Y8	External attribution, Gen 3
Bundle ID	com.app.podcastsLounge	Gen 1 masquerade app identity
Bundle ID	com.app.pdfBrain	Gen 2 masquerade app identity
Bundle ID	com.pdfninja.app	Gen 3 masquerade app identity

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.