This ongoing cyber threat campaign leverages the Blender 3D creation suite's capability to embed and auto-execute Python scripts within .blend files, a feature designed for advanced rigging and automation tasks. Attackers upload malicious .blend files containing a Python script named "Rig_Ui.py" to popular free 3D asset marketplaces such as CGTrader. When unsuspecting users download and open these files with Blender's Auto Run feature enabled, the embedded script executes automatically, initiating a multi-stage infection chain. The script first runs a PowerShell command that downloads two ZIP archives: one containing the StealC V2 malware payload and another deploying a secondary Python-based stealer. StealC V2 is an advanced information stealer capable of extracting sensitive data from 23 different browsers, 100 web plugins and extensions, 15 cryptocurrency wallets, messaging platforms, VPN clients, and email applications. The campaign shares tactical similarities with previous operations attributed to Russian-speaking threat actors, including the use of decoy documents, evasive techniques, and background execution of malware. The attack exploits Blender's Auto Run feature, which if enabled, allows arbitrary Python code execution without user interaction, posing a significant security risk. Blender's own documentation acknowledges this risk but balances it against the need for automation capabilities. The malware's ability to run on physical machines with GPUs helps it evade sandbox and virtual environment detection, increasing its effectiveness. The campaign has been active for at least six months, indicating sustained targeting of Blender users, particularly those sourcing 3D assets from third-party marketplaces. The lack of authentication or complex exploitation steps lowers the barrier for successful infection, relying primarily on user trust and Blender configuration settings.

European organizations using Blender for 3D modeling, animation, or content creation—especially those sourcing assets from third-party marketplaces—face significant risks of data exfiltration and system compromise. StealC V2's broad data-stealing capabilities threaten confidentiality by targeting browsers, cryptocurrency wallets, messaging apps, VPNs, and email clients, potentially exposing sensitive corporate information, intellectual property, and financial assets. The malware's stealthy execution on physical machines with GPUs complicates detection and response efforts. Industries such as media, gaming, design, and engineering, which heavily rely on Blender and third-party 3D assets, are particularly vulnerable. The campaign's persistence over six months suggests a well-resourced adversary capable of sustained espionage or financial theft operations. Compromise could lead to regulatory repercussions under GDPR due to data breaches, reputational damage, and financial losses. Additionally, the malware's ability to bypass sandboxing and virtual environment defenses increases the risk of widespread infection within organizations that do not enforce strict endpoint security policies. The attack vector exploiting Blender's Auto Run feature also highlights the risk of supply chain attacks via trusted software components, emphasizing the need for vigilance in asset sourcing and software configuration.

European organizations should immediately disable Blender's Auto Run Python scripts feature unless absolutely necessary and only enable it for trusted files. Implement strict policies for sourcing 3D assets, favoring verified and reputable marketplaces, and conduct integrity checks on downloaded files. Employ endpoint detection and response (EDR) solutions capable of monitoring PowerShell activity and unusual Python script executions. Use application whitelisting to restrict execution of unauthorized scripts and binaries. Educate users, especially 3D artists and developers, about the risks of opening untrusted .blend files and encourage verification of asset provenance. Regularly update Blender to the latest versions, as future releases may include enhanced security controls or warnings related to script execution. Network segmentation can limit malware spread if a host is compromised. Monitor network traffic for connections to known StealC command and control servers or unusual data exfiltration patterns. Consider deploying sandbox environments for testing 3D assets before use in production. Finally, integrate Blender usage and asset sourcing into the organization's broader supply chain risk management and cybersecurity awareness programs.