Cybercriminals are exploiting Blender, a popular open-source 3D modeling software, to distribute the notorious StealC V2 infostealer. Threat actors are uploading malicious .blend files containing embedded Python scripts to asset platforms like CGTrader. When users open these files in Blender with the Auto Run Python Scripts feature enabled, the scripts execute automatically, compromising systems across Windows, macOS, and Linux. This sophisticated campaign, active for at least six months, has been linked to previous Russian-linked operations and poses a significant threat to the creative design community.
The campaign leverages .blend files weaponized to steal sensitive data, including passwords, cryptocurrency wallet information, and authentication credentials from various browsers and applications. Morphisec security researchers identified and tracked the operation, revealing connections to StealC V2, a potent information-stealing malware that has gained traction in underground criminal markets since its emergence in April 2025. This new vector highlights the evolving tactics of cybercriminals seeking to infiltrate networks through trusted software and platforms.
Understanding the Blender StealC V2 Infection Mechanism
The infection process begins when a user opens a compromised .blend file within Blender. If the Auto Run Python Scripts setting is enabled, an embedded Python script named Rig_Ui.py executes without user intervention. This initial script fetches a PowerShell loader from attacker-controlled remote servers. The loader then downloads several archive files, which contain a fully functional Python environment pre-configured with StealC V2 and additional components designed for data exfiltration.
Following the deployment of the malware, hidden shortcut files, identified by their .LNK extension, are created and copied into the Windows Startup folder. This persistence mechanism ensures that the StealC V2 infostealer automatically runs every time the infected system is rebooted, allowing the malware to maintain a foothold on the compromised machine. The entire attack chain is characterized by multiple layers of obfuscation and encrypted communication channels, making it particularly challenging for security systems to detect and analyze.
The Python scripts utilize ChaCha20 encryption to download their payloads, communicating through an infrastructure referred to as Pyramid. This advanced encryption method further obfuscates the malicious activity. StealC V2 is designed to target a wide range of sensitive information. It specifically aims to pilfer credentials from over 23 web browsers, more than 100 browser extensions, approximately 15 desktop cryptocurrency wallets, and popular messaging applications such as Telegram and Discord. VPN client credentials are also targeted as part of the information-gathering process.
Furthermore, StealC V2 incorporates updated techniques for privilege escalation, enabling it to gain higher levels of access on infected systems. This enhanced capability, combined with its ability to maintain low detection rates on security analysis platforms, allows the malware to effectively evade traditional security solutions. The continuous development and adaptation of StealC V2 underscore the persistent threat it poses to individuals and organizations reliant on digital security.
Implications for the Creative Industry and Mitigation Advice
The exploitation of Blender represents a significant risk to the creative industry, an ecosystem that relies heavily on accessible and powerful open-source tools. Blender’s widespread adoption means that a large number of professionals and hobbyists are potentially vulnerable to this attack vector. The nature of the campaign, which involves distributing malicious assets through community platforms, erodes trust and creates a challenging environment for users seeking legitimate resources.
To mitigate the risks associated with this threat, users are strongly advised to disable Blender’s Auto Run Python Scripts feature, especially when downloading files from untrusted or community-driven sources. Exercising caution and employing robust security practices when downloading 3D models and assets from online platforms is paramount. Users should also ensure their security software is up-to-date and regularly scan their systems for potential infections.
The ongoing threat of StealC V2 and similar infostealers indicates a continued emphasis by threat actors on leveraging social engineering and exploiting trusted software supply chains. Future efforts by cybercriminals may involve similar tactics targeting other popular creative and development tools. Staying informed about emerging threats and adopting proactive security measures will be crucial for defending against these evolving cyberattacks.