← All articles

FlutterShell macOS backdoor spreads via Google and YouTube ads from verified shell companies - CL-CRI-1089 / TamperedChef adware-to-backdoor

Palo Alto Networks Unit 42 has documented FlutterShell, a Flutter-built macOS backdoor distributed through malicious Google and YouTube ads served by a network of Google-verified shell companies. It is the latest stage of the CL-CRI-1089 cluster and part of the broader TamperedChef / EvilAI campaigns that push trojanized productivity software. The ads lure macOS users in the US, Canada, Australia, France, and Germany into installing fake desktop apps. Beyond adware, FlutterShell supports arbitrary shell-command execution, file-system manipulation, and environment-variable exfiltration, and on launch modifies Chrome config files to force browser traffic through an attacker-controlled intermediary. Activity was seen as recently as March 2026.

Check
Warn macOS users that Google/YouTube ads for productivity apps may be malicious. Hunt for Flutter-built apps that modify Chrome config files. Apply Unit 42 IoCs.
Affected
macOS users in the US, Canada, Australia, France, and Germany lured by malvertised fake desktop apps. FlutterShell adds backdoor command execution and Chrome-hijacking on top of adware.
Fix
Source software only from official vendor sites, not search ads. Apply Unit 42 IoCs and block the ad domains. Restore Chrome config on affected Macs and remove the apps.