Cybersecurity researchers have revealed details of a new campaign that leverages Blender Foundation files to distribute an information theft tool known as StealC V2.
“This ongoing operation, which has been active for at least six months, involves embedding malicious .blend files into platforms such as CGTrader,” Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News.
“Users unknowingly download these 3D model files, which are designed to run embedded Python scripts when opened in Blender, a free, open-source 3D creation suite.”
The cybersecurity firm said this activity has similarities to previous campaigns involving Russian-speaking attackers that impersonated the Electronic Frontier Foundation (EFF) to target online gaming communities and infect them with StealC and Pyramid C2.
This assessment is based on tactical similarities between both campaigns, including the use of decoy documents, evasion techniques, and background execution of malware.
The latest set of attacks exploits the ability to embed Python scripts in .blend files, such as character rigs, that are automatically executed when the file is opened in scenarios where the autorun option is enabled. This behavior is potentially dangerous as it opens the door to the execution of arbitrary Python scripts.
Blender acknowledges this security risk in its own documentation, stating: “The ability to include Python scripts within blend files is valuable for advanced tasks such as rigging and automation. However, Python does not limit what the scripts can do, which poses a security risk.”
This attack chain essentially involves uploading a malicious .blend file containing the malicious “Rig_Ui.py” script to a free 3D asset site such as CGTrader. This script runs as soon as it is opened with Blender’s autorun feature enabled. This will retrieve a PowerShell script and download two ZIP archives.
One of the ZIP files contains the StealC V2 payload, while the second archive deploys a secondary Python-based stealer on the compromised host. First announced in late April 2025, the updated version of StealC supports a wide range of information collection features and can extract data from 23 browsers, 100 web plugins and extensions, 15 crypto wallet apps, messaging services, VPNs, and email clients.
“Keep autorun disabled unless you trust the file source,” Morphisec said. “Attackers typically exploit Blender, which runs on physical machines with GPUs, to bypass sandboxes and virtual environments.”
Source link
