Cybersecurity experts reveal a new campaign leveraging Blender 3D assets to spread a dangerous info-stealing malware. This operation has been active for at least six months.
Malicious .blend files are being planted on popular platforms like CGTrader. Users unknowingly download these files, which contain embedded Python scripts.
Upon opening in Blender, these scripts automatically execute if the ‘Auto Run’ option is enabled. This delivers the potent StealC V2 data-stealing malware to unsuspecting users.
Morphisec researchers highlighted similarities with previous campaigns linked to Russian-speaking threat actors. Tactics include evasive techniques and background malware execution. More details on the campaign can be found here.
Blender itself acknowledges the risk: embedded Python scripts “do not restrict what a script can do.” This loophole allows attackers to execute arbitrary code. Blender’s security documentation is available here.
The attack chain involves a malicious “Rig_Ui.py” script. This script fetches a PowerShell script, which then downloads two ZIP archives containing malware.
One archive carries the StealC V2 payload, while the second deploys another Python-based stealer. StealC V2, updated in April 2025, is highly capable.
This malware can extract sensitive data from 23 browsers, over 100 web plugins, 15 cryptocurrency wallets, messaging apps, VPNs, and email clients.
Morphisec strongly advises keeping Blender’s ‘Auto Run’ feature disabled unless the file source is explicitly trusted. This helps prevent attackers from bypassing sandboxes.
The emergence of sophisticated threats like StealC V2 highlights a broader trend in cyber warfare, where malicious actors constantly refine their tactics to bypass traditional defenses. These evolving methods underscore the critical need for constant vigilance and updated security protocols.
Another example of this shifting landscape is the Matrix Push C2 platform, which leverages browser notifications for fileless, cross-platform phishing attacks. This “Malware-as-a-Service” approach targets sensitive data, including cryptocurrency wallets, demonstrating the diverse monetization strategies of cybercriminals.
For a deeper understanding of these contemporary threats and how new command-and-control platforms operate, one can examine recent findings on Matrix Push C2, detailing its innovative methods to compromise systems and steal valuable information. Read more on Matrix Push C2 here.