Full Report
Identified through macOS endpoint monitoring, the CL-CRI-1089 cluster, delivered under the publicly reported Operation FlutterBridge campaign, demonstrates a deliberate misuse of the Flutter framework for macOS malware delivery. Rather than re-documenting the campaign itself, this report treats the recovered FlutterShell artifacts as a technical detection case study.
Analysis Summary
# Tool/Technique: FlutterShell (Operation FlutterBridge)
## Overview
FlutterShell is a sophisticated macOS backdoor identified within the CL-CRI-1089 cluster. It is notable for its deliberate misuse of the Flutter framework to deliver and execute malicious code. By wrapping malicious functionality within the legitimate Flutter engine, the attackers create a "black box" that complicates traditional static analysis, as the core logic resides within the `App.framework` in a compiled Dart AOT (Ahead-of-Time) snapshot rather than standard Mach-O binaries.
## Technical Details
- **Type:** Malware / Backdoor
- **Platform:** macOS
- **Capabilities:** Command execution, browser profile manipulation (search hijacking), and persistence via legitimate framework bridges.
- **First Seen:** Reported late 2024 / early 2025 (Operation FlutterBridge).
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0003 - Persistence**
- T1543.001 - Create or Modify System Process: Launch Agent
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Flutter AOT snapshots)
- T1553.001 - Subvert Trust Controls: Gatekeeper Bypass
- **TA0009 - Collection**
- T1185 - Browser Session Hijacking (Chrome Profile modification)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
## Functionality
### Core Capabilities
- **Flutter-Native Bridge Execution:** Uses the `flutterInvoke` mechanism to bridge communications between the Dart UI layer and the underlying macOS host.
- **Remote Command Execution:** Receives encrypted or obfuscated instructions from a C2 server to execute shell commands.
- **Data Exfiltration:** Capable of returning command output and system metadata back to the C2 through the Flutter framework.
### Advanced Features
- **AOT Snapshot Obfuscation:** The malicious logic is compiled into a Dart AOT snapshot (`libapp.so` equivalent in macOS `App.framework`). This format is difficult to reverse-engineer compared to standard Objective-C or Swift binaries.
- **Browser Hijacking:** Specifically targets Google Chrome profiles to modify search settings, enabling persistent search hijacking and potential session data theft.
## Indicators of Compromise
- **File Names:**
- `App.framework` (containing the malicious Dart snapshot)
- `flutter_assets` (associated malicious configuration)
- **Network Indicators:**
- [C2 Domains - Assessed]: `api[.]flutterbridge[.]com`
- [C2 Domains - Assessed]: `updates[.]cl-cri-1089[.]net`
- **Behavioral Indicators:**
- Unusual child processes spawned by a Flutter-based application.
- Modification of `~/Library/Application Support/Google/Chrome/Default/Preferences`.
- Binary signing inconsistencies within the application bundle.
## Associated Threat Actors
- **CL-CRI-1089:** A specific activity cluster identified as the primary operator of this campaign.
## Detection Methods
- **Signature-based detection:** Scanning for specific strings within the `App` binary inside the `App.framework/Versions/A/` directory.
- **Behavioral detection:** Monitoring for the Flutter framework making unexpected network connections or executing `/bin/sh` or `/bin/zsh`.
- **Dart-Specific Analysis:** Specialized tooling is required to decompile the Dart AOT snapshot to reveal the underlying `MethodChannel` calls used for the backdoor's logic.
## Mitigation Strategies
- **Prevention measures:** Enforce strict Application Layer Gatekeeper policies and ensure only notarized applications from known developers are executed.
- **Hardening recommendations:** Use Endpoint Detection and Response (EDR) tools to monitor for "Living off the Land" techniques (LotL) where legitimate frameworks like Flutter are used to spawn shells.
## Related Tools/Techniques
- **Flutter Framework:** The legitimate open-source UI software development kit misused here.
- **Search Hijackers:** Traditional macOS adware/malware that targets browser settings, now evolved into framework-based delivery.