MalwareUsed by 1 actor

RecipeLister

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

CL-CRI-1089

By pivoting on infrastructure related to the ad-filled intermediary site used in the FlutterShell campaign, we linked the current macOS campaign to two Windows malware strains: RecipeLister and Calendaromatic. Both of these strains were distributed via malvertising campaigns, and are tracked as part of the CL-CRI-1089 cluster of activity.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583Acquire InfrastructureEvidence1

TacticResource Development

The attackers behind this cluster are responsible for spreading malicious payloads via malvertising campaigns, targeting both Windows and macOS users through separate, ongoing operations.

Collection

1 technique

T1185Browser Session HijackingEvidence1

TacticCollection

Upon installation, FlutterShell fingerprints the machine... Next, the malware targets the Google Chrome “Secure Preferences” file... changing the url and new_tab_url values to the attacker-controlled domain.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

palo alto networks unit 42 blogNews

Jun 2, 2026

Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

A Windows malware strain in the CL-CRI-1089 cluster distributed via malvertising. It uses a WebView-based architecture that allows dynamic payload changes and hijacks the victim's browser to redirect traffic through ad-filled intermediary sites.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.