Full Report
A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. [...]
Analysis Summary
# Tool/Technique: StealC V2 Information Stealer
## Overview
StealC V2 is an information stealer malware, observed being delivered via malicious Blender (.blend) files hosted on 3D model marketplaces. This campaign is linked to a Russian-affiliated threat actor. The latest variant used in this campaign represents an enhancement of the second major version of StealC, featuring expanded data-stealing capabilities and improved stealth.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Implied by use of PowerShell, %TEMP% folder, and UAC bypass)
- Capabilities: Credential theft, cryptocurrency wallet theft, exfiltration of data from numerous applications, server-side credential decryption.
- First Seen: Subsequent release of StealC V2 (earlier versions documented since 2023).
## MITRE ATT&CK Mapping
*Note: Specific mappings for the entire delivery chain are synthesized based on reported malicious activities.*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivery via malicious file)
- T1204 - User Execution
- T1204.002 - Malicious File
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (LNK files in Startup directory for persistence)
- T1027 - Obfuscated Files or Information (Use of Python scripts embedded in .blend files)
- T1555 - Credentials from Local System
- T1555.003 - Credentials from Password Stores (Stealing browser/wallet data)
- T1548 - Abuse Elevation Control
- T1548.002 - Bypass User Account Control
## Functionality
### Core Capabilities
- **Data Exfiltration:** Targeting sensitive personal data stored on the victim's machine.
- **Credential Harvesting:** Stealing credentials from over 23 web browsers, including support for server-side credential decryption, compatible with Chrome 132+.
- **Cryptocurrency Theft:** Targeting over 100 cryptocurrency wallet browser extensions and more than 15 cryptocurrency wallet applications.
- **Application Targeting:** Stealing data from communication platforms (Telegram, Discord, Tox, Pidgin), VPN clients (ProtonVPN, OpenVPN), and mail clients (Thunderbird).
### Advanced Features
- **Evasion:** The analyzed variant was reported as undetected by security engines on VirusTotal, suggesting strong evasion capabilities against current AV products.
- **UAC Bypass:** Possession of an updated User Account Control bypass mechanism.
- **Redundancy:** Deployment of an auxiliary Python stealer alongside the main StealC payload for redundancy.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: Archives named `ZalypaGyliveraV1` and `BLENDERX`.
- Registry Keys: Not explicitly detailed, though persistence is achieved via LNK files in the Startup directory.
- Network Indicators: Malware loader fetched from a Cloudflare Workers domain (Defanged: `hxxp://<Cloudflare_Workers_Domain>`). Payload retrieval from attacker-controlled IPs.
- Behavioral Indicators: Execution of embedded Python scripts upon opening malicious `.blend` files (if Auto Run is enabled); creation of LNK files in the Startup directory (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`).
## Associated Threat Actors
- Russian-linked campaign/Threat Actor (Implied affiliation based on context).
## Detection Methods
- **Signature-based detection:** Current signature sets may be ineffective, as the analyzed variant evaded detection on VirusTotal.
- **Behavioral detection:** Monitoring for Python script execution triggered by opening Blender files, especially if the `Auto Run Python Scripts` feature is active. Look for processes fetching arbitrary content (loaders/scripts) from atypical sources.
- **YARA rules:** Not available in the context.
## Mitigation Strategies
- **Blender Configuration Hardening:** Users must explicitly disable the automatic execution of code within Blender by unchecking **'Auto Run Python Scripts'** found in `Blender > Edit > Preferences`.
- **Supply Chain Security:** Treat 3D assets (.blend files) sourced from public marketplaces (like CGTrader) as potentially executable content.
- **Sandboxing:** Utilize sandboxed environments for testing or opening any untrusted files originating from external sources or non-verified publishers.
## Related Tools/Techniques
- Other information-stealing malware families (e.g., RedLine, Vidar).
- Abuse of legitimate software functionality (Blender's Python scripting) to serve as a delivery vector (similar to malware distributed via malicious Office macros or malicious DLL side-loading).