CL-CRI-1089

CL-CRI-1089 is a cybercrime activity cluster tracked by Palo Alto Networks Unit 42 and assessed to have been active since at least early 2023. Unit 42 links this cluster to large-scale malvertising operations distributing trojanized productivity and desktop applications to both macOS and Windows users. Reported campaigns associated with CL-CRI-1089 include Operation FlutterBridge, JSCoreRunner (also referred to as FileRipple), Calendaromatic, DocuFlex, AppSuite PDF, RecipeLister, PDFPrime, and ManualzPDF; some reporting also places these campaigns within broader TamperedChef/EvilAI-style activity. The cluster has used malicious Google and YouTube advertisements, sponsored search results, and polished lure websites to distribute malware at scale. Unit 42 reported use of hundreds of verified Google Ads accounts and shell companies for advertising and code-signing support. The cluster primarily leveraged corporate structures connected to Ukrainian entities for code signing, and reporting also links some infrastructure and signing entities to Ukrainian, Malaysian, and British entities. Researchers attributed 34 unique code-signing certificates or entities to CL-CRI-1089 and estimated certificate costs for this cluster alone exceeded $10,000. On macOS, CL-CRI-1089 was linked to Operation FlutterBridge, which delivered the FlutterShell backdoor via fake but functional applications including PodcastsLounge, PDF-Brain, and PDF-Ninja. FlutterShell was built with the Flutter framework, used a WebView-based JavaScript-to-native bridge, and retrieved malicious logic remotely rather than embedding all functionality in the binary. Reported capabilities included arbitrary command execution, file system access, environment variable exfiltration, system fingerprinting, browser session theft, and Google Chrome hijacking by modifying Secure Preferences and redirecting searches and new tabs to attacker-controlled ad sites. PDF-Brain and PDF-Ninja also routed document contents through attacker-controlled servers via an AI summarization feature. Unit 42 reported that observed FlutterShell samples were signed with valid Apple Developer IDs and passed Apple notarization. Unit 42 also linked CL-CRI-1089 to earlier macOS JSCoreRunner/FileRipple activity through shared publisher infrastructure and similar JavaScript-to-native backdoor primitives. On Windows and cross-platform lure operations, the cluster has been associated with trojanized business tools such as calendar and PDF applications that often function as advertised, delay malicious behavior for weeks or months, and later download second-stage payloads including information stealers, remote access Trojans, browser hijackers, adware, and in some cases proxy malware. Calendaromatic was reported as a self-extracting archive containing a working calendar application bundled with a RAT. Victimology described in the reporting is broad and global rather than sector-specific. For Operation FlutterBridge, targeting emphasized English-speaking countries and Western Europe, including the United States, Canada, Australia, France, and Germany.