Researchers have identified a malicious campaign leveraging Blender 3D model files (.blend) containing embedded Python scripts to distribute the StealC V2 infostealer. Blender, a widely used open-source 3D graphics and animation software, supports Python scripting to automate tasks. This feature, when enabled as Auto Run Python Scripts, allows embedded scripts in imported models to execute automatically upon opening. Attackers uploaded free 3D models with malicious scripts to popular marketplaces like CGTrader. When a user downloads and opens these files with the Auto Run feature enabled, the script connects to a remote server via a Cloudflare Workers domain, downloads a malware loader, and executes a PowerShell script to fetch additional payloads. The final payload, StealC V2, is an advanced infostealer capable of extracting data from over 23 browsers, more than 100 browser extensions, 15 crypto wallet apps, and communication tools such as Telegram, Discord, and ProtonVPN. It also bypasses User Account Control (UAC), increasing its persistence and stealth. The campaign exploits the trust users place in free models and Blender’s automation capabilities, highlighting risks in uncontrolled open-source tools and unvetted third-party marketplaces. The threat does not exploit a software vulnerability but abuses legitimate features combined with social engineering. No known exploits in the wild have been reported beyond this campaign. The core mitigation is disabling automatic script execution in Blender and enforcing strict software usage policies within organizations.

For European organizations, especially those in creative, design, and visualization sectors relying on Blender, this threat poses a significant risk of data exfiltration and espionage. The infostealer’s ability to harvest credentials, browser data, crypto wallets, and communication app data can lead to intellectual property theft, financial loss, and exposure of sensitive corporate communications. The stealthy UAC bypass increases the likelihood of persistent infections. Organizations using Blender without disabling Auto Run Python Scripts or lacking controls on software downloads are vulnerable. The threat also underscores a broader risk from unmonitored open-source tools and third-party content marketplaces, which may introduce malware vectors outside traditional IT security perimeters. This could lead to compliance issues under GDPR if personal data is compromised. The impact extends beyond individual users to corporate networks if infected devices connect to internal resources, potentially facilitating lateral movement or further compromise.

1. Immediately disable Blender’s Auto Run Python Scripts feature across all corporate installations to prevent automatic execution of embedded scripts. 2. Implement strict software usage policies that prohibit downloading or using unapproved third-party models or extensions, especially from open marketplaces. 3. Conduct thorough risk assessments and vetting of any new tools or content sources before adoption. 4. Deploy endpoint protection solutions capable of detecting and blocking PowerShell-based loaders and infostealer behaviors. 5. Enforce network segmentation and monitor outbound connections for suspicious activity, particularly connections to uncommon domains like Cloudflare Workers. 6. Provide targeted security awareness training to employees in creative departments about the risks of enabling automation features and downloading untrusted content. 7. Regularly audit and update security configurations on all workstations, ensuring least privilege principles and UAC settings are enforced. 8. Consider application whitelisting to restrict execution of unauthorized scripts or binaries. 9. Monitor threat intelligence feeds for updates on StealC variants and related campaigns to adapt defenses accordingly.