Ethical Hacking News
A recent report by cybersecurity firm Morphisec has revealed a sophisticated malware operation that leverages weaponized Blender files to spread the notorious StealC V2 infostealer. The malicious campaign, which has been ongoing for at least six months, targets 3D model marketplaces and exploits the free, open-source 3D creation suite's ability to run hidden Python scripts.
A sophisticated malware campaign is spreading through weaponized Blender files, targeting 3D model marketplaces like CGTrader. Russian threat actors are behind the malicious operation, which uses Blender's Python script feature to deliver the StealC V2 infostealer. The malware has expanded its theft capabilities, supporting data exfiltration from multiple browsers and crypto-wallet extensions. Morrissec warns users to exercise caution when working with Blender files from untrusted sources due to a low detection ratio of StealC V2 samples. Users should keep Auto Run disabled unless the file source is trusted, as this feature can be abused by malicious actors to deliver malware.
A recent report by cybersecurity firm Morphisec has revealed that a sophisticated malware campaign is spreading through weaponized Blender files, specifically targeting 3D model marketplaces such as CGTrader. The malicious operation, which has been ongoing for at least six months, leverages the popular free, open-source 3D creation suite's ability to run hidden Python scripts to deliver the notorious StealC V2 infostealer.
According to Morphisec, Russian threat actors are behind this campaign, which involves uploading weaponized .blend files containing Python scripts that auto-execute in Blender when Auto Run is enabled. The malicious code downloads a PowerShell loader, which then retrieves ZIP archives containing StealC and an auxiliary Python stealer. This payload extracts to %TEMP%, establishes persistence via hidden LNK files in Startup, and uses Pyramid C2 to fetch encrypted modules.
The updated version of StealC V2, analyzed by Zscaler, significantly expands its theft capabilities, supporting data exfiltration from over 23 browsers with server-side credential decryption (including Chrome 132+), more than 100 crypto-wallet extensions and 15 wallet apps, as well as messaging and VPN clients like Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and Thunderbird. It also features an improved UAC bypass.
Morphisec warns that many of the StealC V2 samples discovered by their researchers in VirusTotal have an extremely low detection ratio, emphasizing the need for users to exercise caution when working with Blender files from untrusted sources.
The attackers exploit Blender's ability to run Python scripts, which is a legitimate feature that enables automation and add-ons. However, this feature can be abused by malicious actors to deliver malware.
"Keep Auto Run disabled unless the file source is trusted," Morphisec researchers recommend. They also highlight that Blender typically runs on physical GPU-equipped systems, helping it evade sandboxed analysis. As a result, attack vectors are limited, but users must remain vigilant when working with Blender files.
The StealC V2 malware has been previously linked to past Russian operations, including fake EFF lures targeting Albion Online players and Pyramid C2. This campaign provides fresh evidence linking the malicious Blender operation to these previous attacks.
To avoid falling victim to this malware campaign, users are advised to exercise caution when working with Blender files from untrusted sources and to keep Auto Run disabled unless the file source is trusted.
Related Information:
https://www.ethicalhackingnews.com/articles/Morphisec-Warns-of-StealC-V2-Malware-Spread-Through-Weaponized-Blender-Files-ehn.shtml
https://securityaffairs.com/185052/cyber-crime/stealc-v2-malware-spread-through-weaponized-blender-files.html
https://thehackernews.com/2025/11/hackers-hijack-blender-3d-assets-to.html
https://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealc-infostealing-malware/
Published: Tue Nov 25 09:41:24 2025 by llama3.2 3B Q4_K_M
