Google Ads Push Stealthy FlutterShell Backdoor To Millions Of Users
By 813 Staff
Silicon Valley insiders report Google Ads Push Stealthy FlutterShell Backdoor To Millions Of Users, according to The Hacker News (@TheHackersNews) (in the last 24 hours).
Source: https://x.com/TheHackersNews/status/2062495516949098612
Google’s ad network has been weaponized in a campaign that is now delivering a new backdoor called FlutterShell, and the stakes could not be higher for the company’s credibility as a trusted gateway to the open web. Internal documents circulating among threat intelligence teams show that malicious ads—purchased through Google and YouTube’s legitimate ad platforms—have been serving payloads to unsuspecting users since at least late May 2026. Engineers close to the project say the rollout has been anything but smooth for defenders, as the malware exploits a previously undetected chain that begins with a seemingly benign ad redirect.
The Hacker News (@TheHackersNews) broke the story on June 4, confirming that FlutterShell is a cross-platform backdoor written in Google’s own Flutter framework, which allows it to evade static analysis tools that typically flag native code. According to researchers who have analyzed the samples, the attack chain works like this: a user clicks on a Google or YouTube ad, gets redirected through a series of compromised publisher websites, and ultimately lands on a page that delivers a fake browser update prompt. Accepting that update installs FlutterShell, which then establishes persistent remote access, steals credentials, and can deploy additional payloads. The malware communicates over encrypted WebSocket channels to command-and-control servers that rotate domains every few hours, making takedowns difficult.
What makes this especially concerning is that Google’s ad review systems were bypassed. Sources familiar with the investigation indicate that the threat actors registered as legitimate advertisers, using stolen or forged business credentials, and then served low-volume, regionally targeted ads that flew under automated moderation thresholds. The campaign appears focused on enterprise users, particularly in the finance and legal sectors, though researchers caution that the targeting scope may expand.
Google has not yet issued a public statement beyond acknowledging an ongoing investigation. The company’s ad safety team is reportedly scrambling to update their review models, but internal chatter suggests they are struggling to keep pace. Users who clicked on any suspicious ads in the past two weeks—especially those prompting browser updates—are advised to run full system scans and revoke any credentials entered since the infection. FlutterShell does not self-delete, meaning adversaries could maintain access for weeks or months unless manually removed. For now, the biggest question remains unanswered: how many organizations are already compromised, and will Google’s ad ecosystem regain trust before the next campaign hits?
Source: https://x.com/TheHackersNews/status/2062495516949098612
