- Hackers have launched a campaign using malicious .blend files to spread the StealC V2 information stealer.
- The attack targets users downloading 3D assets from sites like CGTrader, relying on embedded Python scripts executed by Blender software.
- The Malware steals data from browsers, cryptocurrency wallets, messaging apps, VPNs, and email clients.
- The campaign shows links to previous Russian-speaking threat actors known for similar tactics.
- Blender’s Auto Run feature enables the automatic execution of harmful scripts contained in .blend files.
Cybersecurity researchers uncovered a campaign active for over six months exploiting Blender Foundation’s file format. Malicious .blend files were distributed on platforms such as CGTrader. When opened using the Blender 3D creation suite with its Auto Run feature enabled, these files execute embedded Python scripts designed to install the StealC V2 information stealer.
The attackers upload .blend files containing a harmful script named “Rig_Ui.py.” Upon opening, this script runs automatically and triggers a PowerShell command that downloads two ZIP archives. One contains the StealC V2 payload, while the other installs a secondary Python-based stealer on the infected device. StealC V2 gathers information from 23 web browsers, 100 plugins and extensions, 15 cryptocurrency wallet applications, various messaging services, VPN software, and email clients.
According to statements from Morphisec researcher Shmuel Uzan, this campaign shares tactics with a previous operation linked to Russian-speaking threat groups. Similarities include the use of decoy documents, stealth techniques, and background malware execution. Those earlier attacks impersonated organizations like the Electronic Frontier Foundation (EFF) to target online gamers.
The risk arises because Blender permits Python scripts inside .blend files for advanced tasks like character rigging and automation. This capability also allows arbitrary scripts to run, which can be exploited if the Auto Run option is turned on. Blender has acknowledged this security risk on its official documentation, explaining the unrestricted nature of embedded Python scripts.
Users are advised to keep the Auto Run feature disabled unless files are from trusted sources to reduce infection risk. Attackers leverage Blender’s typical use on physical machines with GPUs to bypass Sandbox and virtual environments, increasing the potential impact of this malicious campaign. For further details, see the Morphisec report and Blender’s security documentation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bitcoin Survives 21 Crashes, Eyes $105K by Early 2026
- Tech-Led Gains Paused as AI, Rate Cut Hopes and Data Add Volatility
- UAE’s New Law Brings DeFi, Web3 Under Central Bank Rules
- Monero 0.18.3.4 Released; New Wallets, Apps & Merchant Tools
- South Africa Signs MoU with BRICS NDB to Boost Infrastructure Funding
