Nov 25, 2025Ravie LakshmananMalware / Browser Safety
Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that has leveraged Blender Basis information to ship an info stealer often called StealC V2.
“This ongoing operation, energetic for not less than six months, entails implanting malicious .mix information on platforms like CGTrader,” Morphisec researcher Shmuel Uzan mentioned in a report shared with The Hacker Information.
“Customers unknowingly obtain these 3D mannequin information, that are designed to execute embedded Python scripts upon opening in Blender — a free, open-source 3D creation suite.”
The cybersecurity firm mentioned the exercise shares similarities with a previous marketing campaign linked to Russian-speaking menace actors that concerned impersonating the Digital Frontier Basis (EFF) to focus on the net gaming group and infect them with StealC and Pyramid C2.
This evaluation is predicated on tactical similarities in each campaigns, together with utilizing decoy paperwork, evasive strategies, and background execution of malware.
The most recent set of assaults abuses the power to embed Python scripts in .mix information like character rigs which might be robotically executed when they’re opened in situations the place the Auto Run choice is enabled. This habits might be harmful because it opens the door to the execution of arbitrary Python scripts.
The safety threat has been acknowledged by Blender in its personal documentation, which states: “The power to incorporate Python scripts inside blend-files is efficacious for superior duties comparable to rigging and automation. Nonetheless, it poses a safety threat since Python doesn’t prohibit what a script can do.”
The assault chains primarily contain importing malicious .mix information to free 3D asset websites comparable to CGTrader containing a malicious “Rig_Ui.py” script, which is executed as quickly as they’re opened with Blender’s Auto Run function enabled. This, in flip, fetches a PowerShell script to obtain two ZIP archives.
Whereas one of many ZIP information incorporates a payload for StealC V2, the second archive deploys a secondary Python-based stealer on the compromised host. The up to date model of StealC, first introduced in late April 2025, helps a variety of knowledge gathering options, permitting knowledge to be extracted from 23 browsers, 100 net plugins and extensions, 15 cryptocurrency pockets apps, messaging companies, VPNs, and e mail purchasers.
“Preserve Auto Run disabled except the file supply is trusted,” Morphisec mentioned. “Attackers exploit Blender that usually runs on bodily machines with GPUs, bypassing sandboxes and digital environments.”
