Malicious Blender (.blend) model files are now being used to spread the StealC V2 infostealing malware. Attackers hide harmful Python scripts inside 3D model files and upload them to asset marketplaces. When users open these models in Blender, the script runs automatically if the auto-run option is enabled. This makes the infection extremely easy to trigger without the victim noticing.
Researchers say this campaign is linked to Russian-speaking threat actors and has been active for months. The malicious .blend files silently download a small loader once opened. That loader begins a PowerShell-based infection process in the background. Everything happens quietly, making it difficult for users to detect anything unusual.
The infection chain follows a structured sequence to install the malware. After fetching the loader, it downloads archives containing more files. These files are unpacked into temporary folders and set up to run on startup. The final result is StealC V2 being executed along with additional stealer tools.
StealC V2 is a more advanced and updated version of the original StealC malware family. It uses stronger obfuscation to hide its code from researchers. It communicates using encrypted RC4-based traffic, making detection harder. The malware is designed to steal passwords, browser data, wallets, and system information.
One major risk comes from Blender’s built-in Python scripting feature. Attackers embed harmful scripts inside the 3D project files themselves. Many artists enable auto-run scripts to speed up their workflow, not realizing the risk. This habit allows attackers to infect systems through ordinary 3D assets.
Security teams warn that 3D model files must now be treated like executable files. Just because a file is creative content does not mean it is safe. As more creative tools support scripting, attackers can abuse these formats. This campaign proves how easily trust in digital assets can be exploited.
Experts recommend immediate safety steps for all Blender users. Turning off auto-run for Python scripts is the first and most important action. Users should avoid opening .blend files from untrusted sources or unknown marketplaces. Isolating suspicious assets inside virtual machines or sandboxes is strongly advised.
This attack highlights a growing trend in malware delivery methods. Cybercriminals are expanding into creative workflows to target designers, developers, and studios. As StealC V2 evolves, organisations need stronger protection around digital asset pipelines. This incident shows that even 3D files can now be part of the security attack surface.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
