Cybercriminals Exploit Blender Files to Deploy StealC V2 Infostealer
Cybercriminals have identified a new method to infiltrate systems by exploiting Blender, a widely used open-source 3D modeling application. They are uploading malicious files to popular asset platforms like CGTrader, embedding Python scripts that execute automatically when these files are opened in Blender. This campaign, active for at least six months, has been linked to Russian-affiliated groups employing similar evasion techniques and decoy methods.
The malicious .blend files are designed to steal sensitive information, including passwords, cryptocurrency wallets, and authentication credentials from various browsers and applications. This poses a significant threat to the creative industry, where Blender is an essential tool for professionals and hobbyists alike.
Morphisec security researchers uncovered this campaign by analyzing the infection chain and command and control infrastructure. Their research revealed connections to StealC V2, a potent information-stealing malware that has gained popularity in underground markets since its emergence in April 2025.
Understanding the Infection Mechanism
When users open a compromised .blend file with Blender’s Auto Run Python Scripts setting enabled, the embedded Rig_Ui.py script executes automatically. The malware then fetches a PowerShell loader from remote servers controlled by the attackers. This loader downloads multiple archive files containing a fully functional Python environment preloaded with StealC V2 and additional stealing components.
The extracted files create hidden shortcut files (LNK) that are copied to the Windows Startup folder, ensuring the malware persists across system reboots. The attack chain involves multiple stages of obfuscation and uses encrypted communication channels. Python scripts download encrypted payloads using ChaCha20 encryption through the Pyramid command and control infrastructure, making detection and analysis significantly more challenging.
StealC V2 targets over 23 web browsers, more than 100 browser extensions, 15 desktop cryptocurrency wallets, messaging applications like Telegram and Discord, and VPN clients. The malware includes updated privilege escalation techniques and maintains low detection rates on security analysis platforms, allowing it to evade traditional security solutions.
Recommendations for Users
To mitigate the risk of infection, users should disable Blender’s Auto Run feature for untrusted file sources and exercise caution when downloading 3D models from community platforms. Regularly updating security software and maintaining vigilance against suspicious files can also help protect against such sophisticated attacks.
