StealC Malware Delivered via Malicious Blender Model Files
Category:Threat Alerts
A Russian-linked campaign delivers the latest StealC V2 infostealer through malicious Blender .blend files uploaded to major 3D model marketplaces such as CGTrader. The malware leverages Blender’s Auto Run Python script feature to execute embedded code upon opening, mapping to MITRE ATT&CK technique T1204 (User Execution) and T1059 (Command and Scripting Interpreter). Researchers observed that Auto Run, often enabled by users for convenience, allows threat actors to trigger malicious payloads without requiring additional user interaction. :contentReference[oaicite:3]{index=3} The attack chain begins with a malicious Blender file containing Python scripts that fetch a malware loader from Cloudflare Workers. The loader retrieves two ZIP archives—ZalypaGyliveraV1 and BLENDERX—from attacker-controlled servers. These archives drop LNK files into the Startup directory for persistence while deploying two payloads: StealC V2 and an auxiliary Python-based stealer. StealC V2 supports exfiltration from 23+ browsers, over 100 crypto wallet extensions, Telegram, Discord, Pidgin, multiple VPN clients, and email clients like Thunderbird, positioning it as a high-impact infostealer with broad data theft capability. The business implications are significant: StealC enables credential harvesting, session hijacking, crypto theft, and direct compromise of communication tools used in corporate workflows. Its ability to evade detection—as observed on VirusTotal where the sample showed no detections—creates a window of opportunity for widespread compromise. Organizations employing 3D artists, animators, VFX studios, gaming developers, or product designers are at heightened risk due to heavy reliance on community 3D asset repositories. Misuse of Auto Run Python scripts in creative pipelines can lead to compromise of enterprise endpoints and cloud resources. Mitigation requires disabling Blender’s Auto Run Python Scripts feature, scanning 3D asset files in sandboxed environments, and implementing application allowlisting to block unauthorized script execution. Enterprises should enhance monitoring for suspicious persistence mechanisms such as newly created LNK files in Startup folders and deploy behavioral detection for Python-based loaders. Developers and creative teams should rely only on verified asset publishers and treat third-party 3D models as untrusted executables requiring screening.
CORTEX Protocol Intelligence Assessment
Business Impact: StealC V2 enables theft of credentials, session tokens, crypto wallets, and corporate communication data, posing severe financial and operational risks. Creative industry environments and VFX pipelines are particularly exposed, with potential compromise extending to cloud storage and collaborative platforms. Technical Context: The malware abuses Blender’s Auto Run scripting to execute Python loaders that fetch multi-stage payloads. Persistence is achieved via LNK file drops, and its capabilities map to MITRE ATT&CK T1204 and T1059. StealC V2 targets browsers, wallets, messaging clients, and VPN software.
Strategic Intelligence Guidance
- Disable Auto Run Python Scripts in Blender and require sandbox analysis before opening third-party .blend files.
- Use application allowlisting to block unauthorized Python execution and detect malicious LNK persistence files.
- Deploy endpoint protections tuned for script-based loaders and credential-stealing behaviors across creative environments.
- Limit use of unverified 3D model sources and enforce secure sourcing policies for digital assets.
Vendors
Threats
Targets
Intelligence Source: StealC Malware Delivered via Malicious Blender Model Files | Nov 25, 2025