JSCoreRunner
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
According to Palo Alto Networks Unit 42, the campaign is said to be the next stage of a previously reported activity cluster dubbed JSCoreRunner (aka FileRipple) in late August 2025.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThese campaigns distribute malicious Google and YouTube advertisements using a network of Google-verified shell companies, with the ads acting as a lure to trick targets into deploying malware that masquerades as legitimate desktop applications.
Execution
3 techniquesIt gives attackers full remote control over the infected system, including the ability to execute commands... FlutterShell shares its core command structure with a previously documented macOS malware called JSCoreRunner, including functions for executing commands.
FlutterShell has a set of built-in commands that provide attackers with the following capabilities: Arbitrary command execution.
TamperedChef (aka EvilAI), an ongoing series of campaigns that involve using trojanized versions of productivity software to deliver potentially unwanted programs (PUPs) and adware.
Discovery
2 techniquesCapability FlutterShell JSCoreRunner ... Get Home Directory get_home_dir _osHomedir
FlutterShell shares its core command structure with a previously documented macOS malware called JSCoreRunner, including functions for executing commands, reading files, and listing directories.
Collection
1 techniqueUpon installation, FlutterShell fingerprints the machine... Next, the malware targets the Google Chrome “Secure Preferences” file... changing the url and new_tab_url values to the attacker-controlled domain.
Command and Control
1 techniqueThis design lets attackers change what the malware does at any moment, without updating the app itself... FlutterShell retrieves it dynamically, making detection far more difficult.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously documented macOS malware whose command structure overlaps with FlutterShell. It embedded its malicious logic statically in the binary and supported command execution, file reading, and directory listing.
A previously reported malware/activity cluster linked to the same threat activity as FlutterShell and attributed to CL-CRI-1089. It is described as an earlier stage in the evolution toward FlutterShell.
A macOS malware family and predecessor to FlutterShell that uses a JavaScript-to-native bridge, has browser-hijacking behavior focused on Google Chrome, and shares core backdoor primitives such as command execution, file read/write, directory enumeration, and home directory discovery.
macOS malware delivered via fake PDF converter apps; connects to a remote server and hijacks Chrome by changing default search engine settings to a fraudulent provider to track searches and redirect users to malicious sites.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.