Blender Files Hacked: Malicious 3D Models Exploit ‘Auto Run’ to Deploy StealC V2

A recent incident involving malicious files in the 3D-graphics ecosystem has revealed how vulnerable even familiar tools can become when used alongside automated features. On popular model-sharing platforms, attackers have begun uploading Blender projects that conceal StealC V2, a program notorious for silently harvesting data from a wide range of applications.

The attackers distribute counterfeit models on marketplaces such as CGTrader, disguising them as ordinary “.blend” files. The situation is worsened by Blender’s support for executing Python code to enable automation. When the Auto Run option is enabled, such files can execute embedded scripts immediately upon opening — a convenience long embraced by many users, and therefore highly attractive to threat actors.

Researchers at Morphisec found that the fraudulent projects contained an embedded script that downloaded a secondary payload from a domain hosted on Cloudflare Workers. This payload then retrieved a PowerShell component, which in turn downloaded two ZIP archives from attacker-controlled servers. Once extracted into the %TEMP% directory, the system was left with autorun shortcuts and two malicious modules — StealC itself, and an additional Python tool likely intended as a failsafe.

The current version of StealC is capable of gathering an extensive array of data, including information from browsers, cryptocurrency-wallet extensions, popular messengers, email clients, and VPN applications. It also incorporates improved methods for bypassing Windows User Account Control. According to Morphisec, the sample went undetected by all scanning engines on VirusTotal, indicating a high degree of stealth in these new variants.

Because user-submitted uploads on 3D-asset marketplaces undergo limited screening, the risk of hidden malicious code cannot be fully eliminated. The report’s authors recommend disabling Blender’s automatic script execution and testing unfamiliar files within an isolated environment.

Such precautions reduce the likelihood of inadvertently triggering hidden instructions and encourage users to treat 3D assets with the same caution afforded to executable software.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy