Ethical Hacking News
A new campaign has been uncovered by cybersecurity researchers, which utilizes Blender 3D assets to deliver an updated version of StealC V2 malware. This attack highlights the vulnerability of open-source software and underscores the need for vigilance in protecting against sophisticated cyber threats.
Hackers have hijacked Blender 3D assets to deploy an updated version of the StealC V2 malware. The attack involves uploading malicious .blend files to free 3D asset sites, bypassing traditional sandboxing techniques. The malicious files contain Python scripts that execute automatically when opened with Blender's Auto Run feature enabled. StealC V2 is capable of stealing sensitive data from infected systems, including data extraction from browsers and cryptocurrency wallet apps. Users are advised to disable the Auto Run feature unless they have verified the authenticity of the file source. Cybersecurity professionals must continue to monitor the threat landscape for emerging threats and develop effective countermeasures.
Cybersecurity researchers have made a disturbing discovery that highlights the vulnerability of open-source software and its potential misuse by malicious actors. According to recent findings, hackers have hijacked Blender 3D assets to deploy an updated version of the StealC V2 malware, which is capable of stealing sensitive data from infected systems. This development underscores the importance of vigilance in protecting against sophisticated cyber threats.
The attack, which has been ongoing for at least six months, involves uploading malicious .blend files to free 3D asset sites such as CGTrader. These malicious files contain a Python script that is executed upon opening in Blender, thereby bypassing traditional sandboxing techniques and allowing the attackers to maintain control over compromised systems. This modus operandi is reminiscent of previous campaigns linked to Russian-speaking threat actors, which employed similar tactics involving decoy documents, evasive techniques, and background execution of malware.
In this instance, the malicious .blend files in question are embedded with Python scripts designed to execute automatically when opened with Blender's Auto Run feature enabled. This behavior poses a significant security risk, as it allows the execution of arbitrary Python scripts, which can potentially be used to steal sensitive data from compromised systems.
The attack chain typically involves uploading the malicious .blend files to free 3D asset sites such as CGTrader. Upon opening these files with Blender, the "Rig_Ui.py" script is executed, which in turn fetches a PowerShell script that downloads two ZIP archives. One of these ZIP files contains a payload for StealC V2, while the second archive deploys a secondary Python-based stealer on the compromised host.
The updated version of StealC V2 announced in late April 2025 supports an array of information gathering features, including data extraction from 23 browsers, 100 web plugins and extensions, 15 cryptocurrency wallet apps, messaging services, VPNs, and email clients. This expanded feature set makes StealC V2 a more formidable tool for cyber attackers seeking to pilfer sensitive data.
Blender's own documentation has long highlighted the security risks associated with its ability to embed Python scripts within .blend files. In fact, Blender's documentation explicitly states that this capability poses a risk due to the lack of restriction on what a script can do. This warning is echoed by cybersecurity researchers, who caution users against enabling the Auto Run feature unless they are confident that the file source is trustworthy.
The attack on Blender highlights the importance of vigilance in protecting against sophisticated cyber threats. As open-source software continues to play a critical role in modern computing, it is essential for developers and end-users alike to remain aware of potential vulnerabilities and take proactive steps to secure their systems.
In this context, users are advised to exercise extreme caution when interacting with 3D assets downloaded from free websites such as CGTrader. To mitigate the risk associated with malicious .blend files, users should ensure that they disable the Auto Run feature unless they have verified the authenticity of the file source.
Furthermore, cybersecurity professionals and researchers must continue to monitor the threat landscape for emerging threats and develop effective countermeasures to combat them. By doing so, we can reduce the likelihood of successful attacks like the one linked to Blender and protect sensitive data from falling into the wrong hands.
In conclusion, the attack on Blender serves as a stark reminder of the importance of cybersecurity awareness and the need for vigilance in protecting against sophisticated cyber threats. As we navigate the ever-evolving threat landscape, it is essential that we remain proactive in our efforts to safeguard our systems and sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Hijack-Blender-3D-Assets-to-Deploy-StealC-V2-A-Threat-That-Exposes-Vulnerabilities-in-Open-Source-Software-ehn.shtml
https://thehackernews.com/2025/11/hackers-hijack-blender-3d-assets-to.html
https://hivepro.com/threat-advisory/stealc-v2-a-sharpened-blade-in-the-info-stealing-arsenal/
https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc
Published: Tue Nov 25 06:47:56 2025 by llama3.2 3B Q4_K_M
