Listen to this Post
Introduction: The Silent Threat Lurking Inside 3D Models
A growing number of digital artists rely on Blender files shared across global marketplaces to speed up sculpting, animation, or rigging tasks. Yet inside this creative ecosystem, a new cyber threat has been quietly spreading. A Russian-linked hacking group is now weaponizing Blender’s powerful scripting abilities, turning harmless-looking 3D assets into malware delivery systems that steal browser data, crypto wallets, messaging credentials, and VPN access. This attack does not rely on fake installers or trojanized plugins. Instead, it hides inside scenes, rigs, and models downloaded by unsuspecting artists. The result is a dangerous blend of creativity and exploitation that threatens both freelancers and major studios.
Main Summary: How StealC V2 Slipped Into the 3D Modeling World
The Rising Abuse of Blender’s Python Engine
Blender is not just a modeling tool. It is a programmable platform capable of running Python code for UI customization, rig automation, rendering flows, and pipeline integration. Many artists enable Auto Run so Python scripts can load character controls automatically, saving time during production.
Auto Run: Convenience Turned Attack Vector
The same automation that speeds up workflows becomes a security risk when malicious actors inject harmful code into .blend files. Once Auto Run is active, the user never sees the hidden script execute in the background. It loads quietly, performing tasks that look routine but are anything but.
Malicious Blender Files Found on 3D Marketplaces
Morphisec researchers discovered weaponized Blender assets uploaded to major platforms such as CGTrader. These files were designed not to break rigs but to exploit trust. When opened, they triggered Python scripts that connected to a Cloudflare Workers domain controlled by the attackers.
From Cloudflare Workers to a Malware Loader
The malicious script inside the .blend file downloaded a loader that then delivered a PowerShell payload. This payload was responsible for fetching two ZIP files: ZalypaGyliveraV1 and BLENDERX. Both came from attacker-operated IP addresses.
Payload Deployment and Startup Persistence
Once extracted into the %TEMP% directory, the malware planted LNK files into the Startup folder, ensuring it launched every time Windows booted. This persistence tactic is simple but highly effective.
Two-Stealer Strategy for Redundancy
The attackers deployed both StealC V2 and a secondary Python-based stealer. The second payload likely served as a backup in case StealC was detected or failed to initialize.
StealC V2: The Most Advanced Variant Yet
According to Morphisec and earlier research by Zscaler, this campaign uses the newest StealC V2 release. It features expanded data-stealing capabilities that threaten a wide spectrum of digital activity.
Targets Inside StealC’s New Arsenal
StealC V2 is capable of extracting data from:
More than twenty three browsers, including Chrome 132 and above
Over one hundred crypto wallet extensions and more than fifteen standalone crypto wallet apps
Communication tools such as Telegram, Discord, Tox, and Pidgin
VPN clients including ProtonVPN and OpenVPN
Mail clients like Thunderbird
A More Aggressive UAC Bypass Mechanism
The latest variant includes an updated User Account Control bypass, enabling privilege-sensitive execution without alerting the victim.
StealC Remains Undetected by Major Antivirus Tools
Despite being documented since 2023, Morphisec reported that the StealC sample in their investigation received zero detection hits on VirusTotal. This near-complete invisibility increases the risk drastically.
Why 3D Marketplaces Cannot Catch This Threat
Marketplaces such as CGTrader, Turbosquid, and others cannot feasibly inspect Blender files for malicious embedded code. Their systems are built for asset distribution, not deep behavioral analysis. This makes the ecosystem dependent on user caution.
Protecting Yourself From Blender Malware
Experts strongly recommend disabling Python Auto Run by navigating to:
Blender > Edit > Preferences > Uncheck “Auto Run Python Scripts”.
Treat 3D Assets Like Executable Software
Because .blend files can run code, they should be handled with the same caution as .exe files. Only download assets from verified creators, and test unfamiliar files inside sandboxed or isolated environments.
What Undercode Say:
A New Class of Supply Chain Attack Has Emerged
This campaign represents a shift in malware distribution strategy. Attackers no longer focus solely on traditional entry points like email attachments or cracked software. Instead, they are blending into niche ecosystems, exploiting trust within creative communities. The use of Blender files is no accident. Artists frequently download rigs, models, and animation tools from strangers, creating a perfect infiltration path.
Why StealC V2 Is Dangerous in Professional Pipelines
3D artists often work inside production environments that connect to cloud studios, asset servers, and shared workstations. A compromised machine can expose internal projects, login credentials, and company VPNs. StealC’s wide data theft capabilities make it especially harmful in collaborative environments where multiple tools and services remain logged in.
The Python Auto Run Feature Is an Underestimated Risk
Blender is powerful because it lets creators build custom tools. Yet this flexibility introduces script automation that many users do not fully understand. Auto Run acts like macro auto-execution in office documents. If enabled, it creates an invisible attack vector that requires no user interaction.
The Malware’s Use of Cloudflare Workers Shows Growing Sophistication
Routing initial loaders through Cloudflare infrastructure is a clever tactic. It masks the attacker’s true IP address, blends traffic into legitimate cloud patterns, and complicates threat attribution. This tactic is becoming increasingly common in modern malware operations.
3D Marketplaces Are Now Part of the Cyber Threat Landscape
Platforms built for creative exchange now face security challenges traditionally associated with software repositories. Since they cannot scan embedded Python code without altering file integrity, malicious uploads become almost impossible to detect without external tools.
StealC’s Zero Detection on VirusTotal Reveals a Larger Problem
Modern stealers evolve quickly. Many variants are polymorphic and use server-side components to decrypt stolen credentials, creating a moving target that antivirus signatures cannot keep up with. StealC V2 demonstrates how malware families can remain active for years while still bypassing most security engines.
Creative Tools Are Becoming Cyber Attack Surfaces
As AI, 3D modeling, and digital content creation platforms integrate scripting environments, attackers will increasingly exploit these ecosystems. Blender is only the beginning. Tools like Unreal Engine, Unity, Maya, and Houdini also use scripting systems that could be abused similarly.
Organizations Must Treat Creative Software Like Developer Platforms
Security teams often overlook art departments, assuming they pose minimal cybersecurity risk. This belief is outdated. Any software that runs scripts, loads external modules, or interacts with cloud resources must be monitored like a development tool. Ignoring this creates blind spots.
Future Attacks Will Likely Combine Social Engineering With Asset Distribution
Attackers may start posing as talented artists offering free rigs, stylized characters, or procedural assets to drive downloads. Social trust, not technical delivery, will be the real weapon.
🔍 Fact Checker Results
StealC V2 attacks through Blender files are verified by Morphisec researchers. ✅
The malware successfully avoids detection on VirusTotal. ✅
Blender marketplaces cannot automatically scan Python code inside .blend files. ✅
📊 Prediction
Attackers will continue leveraging creative tools as distribution channels, and the next wave of malware will likely target AI model files, Unreal Engine projects, and Unity packages. 🎯
As antivirus tools struggle to detect polymorphic stealers, security teams will shift focus toward behavior monitoring instead of signature detection. 🔐
Blender users and 3D platforms will eventually adopt file sandboxing and automated script-blocking features to counter rising threats. 🛡️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
