Date: 06/03/2026
Severity: High
Summary
Operation FlutterBridge is a large-scale malvertising campaign targeting macOS users through malicious Google advertisements that distribute FlutterShell, a Flutter-based malware with both adware and backdoor capabilities. The malware enables remote command execution, file manipulation, and in some variants, abuses AI-powered document summarization features to facilitate data exfiltration. Operated by financially motivated threat actors, the campaign uses numerous Google-verified ads and shell companies to reach a global audience while continuously evolving its malware capabilities.
Indicators of Compromise (IOC) List
Domains/URLs | https://atsheisdomestic.org/update-thanks.html https://etoftheappyrince.org/update-delay https://healightejustb.org/checkupdateTO.js atsheisdomestic.org etoftheappyrince.org healightejustb.org sinterfumesco.com ads-parkpro.com adsparkpro.top adsparkpro.net softwe.art |
Hash | 021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845
363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34
8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109
644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70
9053e8ddaecca1f960c041c944ca8799fc71dc86a4b50d2639ee4e0d2cb82f47
b60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea
9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de
30448686ec900d5213d74f08f0d2b7924c5336a29445b2a434aba8d8b19d7530
48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "softwe.art" or url like "softwe.art" or siteurl like "softwe.art" or domainname like "sinterfumesco.com" or url like "sinterfumesco.com" or siteurl like "sinterfumesco.com" or domainname like "https://atsheisdomestic.org/update-thanks.html" or siteurl like "https://atsheisdomestic.org/update-thanks.html" or url like "https://atsheisdomestic.org/update-thanks.html" or domainname like "https://etoftheappyrince.org/update-delay" or siteurl like "https://etoftheappyrince.org/update-delay" or url like "https://etoftheappyrince.org/update-delay" or domainname like "https://healightejustb.org/checkupdateTO.js" or siteurl like "https://healightejustb.org/checkupdateTO.js" or url like "https://healightejustb.org/checkupdateTO.js" or domainname like "atsheisdomestic.org" or siteurl like "atsheisdomestic.org" or url like "atsheisdomestic.org" or domainname like "etoftheappyrince.org" or siteurl like "etoftheappyrince.org" or url like "etoftheappyrince.org" or domainname like "healightejustb.org" or siteurl like "ads-parkpro.com" or url like "ads-parkpro.com" or domainname like "adsparkpro.top" or siteurl like "adsparkpro.top" or url like "adsparkpro.top" or domainname like "adsparkpro.net" or siteurl like "adsparkpro.net" or url like "adsparkpro.net" |
Detection Query 2 : | sha256hash IN ("021666417de8b9972c179783fe60d4c4ad2d93224e3a0f16137065c960b1b845","8421c902364980e3d762ec6dbbe6b0f40577c27bd79b48c57d098328b2533109","363923500ce942bf1a953e8a4e943fbf1fb1b5ed6e5d247964c345b3ad5bfc34","644fc49fa1006a2a2acace694e5fb83753164e2617051ece6d9dc9ea32329e70","9053e8ddaecca1f960c041c944ca8799fc71dc86a4b50d2639ee4e0d2cb82f47","b60074d1ea2008a581f432f2dee5f84f78668d9dd8e66f75d03c42dabd89bdea","9425e8e39fa8a7212cdd07f0917cb3dfde38a90b87297de2c82a5850aff1e4de","30448686ec900d5213d74f08f0d2b7924c5336a29445b2a434aba8d8b19d7530","48047c34bbd57fe1e24bc538bc2ce9e0ac4c4eb48d3b0c195b414f0379dc0745")
|
Reference:
https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/