Cybercriminals have discovered a new attack vector targeting the creative design community by exploiting Blender, a widely used open-source 3D modeling application.
Threat actors are uploading malicious files to popular asset platforms like CGTrader, containing embedded Python scripts that execute automatically when users open the files in Blender.
This sophisticated campaign, uncovered through ongoing threat investigations, demonstrates how attackers continue to adapt their tactics to compromise unsuspecting users across Windows, macOS, and Linux systems.
The operation has been active for at least six months and connects to previously identified Russian-linked campaigns that used similar evasion techniques and decoy documentation methods.
These malicious .blend files are weaponized to steal sensitive information from victim machines, including passwords, cryptocurrency wallets, and authentication credentials from multiple browsers and applications.
The threat represents a significant risk to the creative industry, where Blender’s free and powerful capabilities make it an essential tool for professionals and hobbyists alike.
Morphisec security researchers identified and tracked this campaign after analyzing the infection chain and command and control infrastructure.
The research revealed direct connections to StealC V2, a dangerous information-stealing malware that has become increasingly popular in underground criminal markets since its emergence in April 2025.
Understanding the Infection Mechanism
When users open a compromised .blend file with Blender’s Auto Run Python Scripts setting enabled, the embedded Rig_Ui.py script executes automatically.
The malware then fetches a PowerShell loader from remote servers controlled by the attackers. This loader downloads multiple archive files containing a fully functional Python environment preloaded with StealC V2 and additional stealing components.
.webp "Threat Actors Leverage Blender Foundation Files to Deliver Notorious StealC V2 Infostealer 3")
The extracted files create hidden shortcut files (LNK) that are copied to the Windows Startup folder, ensuring the malware persists across system reboots.
The attack chain involves multiple stages of obfuscation and uses encrypted communication channels.
Python scripts download encrypted payloads using ChaCha20 encryption through the Pyramid command and control infrastructure, making detection and analysis significantly more challenging.
StealC V2 itself targets over 23 web browsers, more than 100 browser extensions, 15 desktop cryptocurrency wallets, messaging applications like Telegram and Discord, and VPN clients.
The malware includes updated privilege escalation techniques and maintains low detection rates on security analysis platforms, allowing it to evade traditional security solutions.
Users should disable Blender’s Auto Run feature for untrusted file sources and exercise caution when downloading 3D models from community platforms.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
