Cybercriminals Exploit Blender 3D Assets to Deploy StealC V2 Malware
In a recent cybersecurity development, researchers have uncovered a malicious campaign that leverages Blender Foundation files to disseminate the StealC V2 information-stealing malware. This operation, active for at least six months, involves embedding harmful Python scripts within .blend files, which are then distributed through platforms like CGTrader. Unsuspecting users download these 3D model files, and upon opening them in Blender—a widely-used, open-source 3D creation suite—the embedded scripts execute automatically, initiating the malware deployment.
Morphisec researcher Shmuel Uzan highlighted the campaign’s tactics, noting its resemblance to previous attacks where Russian-speaking threat actors impersonated the Electronic Frontier Foundation (EFF) to target the online gaming community with StealC and Pyramid C2 malware. Both campaigns share common strategies, such as using decoy documents, employing evasive techniques, and executing malware in the background without user awareness.
The core of this attack exploits Blender’s capability to embed Python scripts within .blend files, a feature intended for advanced tasks like rigging and automation. However, this functionality poses significant security risks, especially when the Auto Run option is enabled. Blender’s documentation acknowledges this vulnerability, stating that while embedding Python scripts is valuable, it can be dangerous since Python does not restrict what a script can do.
The attack sequence begins with the distribution of malicious .blend files containing a harmful Rig_Ui.py script. When these files are opened in Blender with Auto Run enabled, the script executes automatically, triggering a PowerShell script that downloads two ZIP archives. One archive contains the StealC V2 payload, while the other deploys an additional Python-based stealer on the compromised system.
StealC V2, first announced in late April 2025, is a sophisticated information stealer capable of extracting data from 23 browsers, 100 web plugins and extensions, 15 cryptocurrency wallet applications, messaging services, VPNs, and email clients. This extensive data-gathering capability makes it a potent tool for cybercriminals seeking to harvest sensitive information.
To mitigate the risk of such attacks, users are advised to keep Blender’s Auto Run feature disabled unless opening files from trusted sources. Attackers often exploit Blender installations on physical machines equipped with GPUs, which can bypass sandboxes and virtual environments designed to detect and prevent malware execution.
This incident underscores the importance of vigilance when downloading and opening files from online platforms, even those that appear reputable. Users should exercise caution and ensure that their software settings are configured to minimize security risks.
