Cybersecurity researchers disclosed a campaign that leverages Blender .blend files to deliver the information stealer StealC V2, a Morphisec researcher said in a report. The researcher said the operation has been active for at least six months.
The campaign implants malicious .blend files on free 3D asset sites. Users who download the 3D models can trigger embedded Python scripts when they open the files in Blender with the Auto Run option enabled; Blender’s documentation states that including Python scripts in blend-files poses a security risk because scripts can run unrestricted code.
Morphisec researchers described attack chains that place a malicious “Rig_Ui.py” script in uploaded rigs. That script executes on file open when Auto Run is enabled, fetches a PowerShell script and downloads two ZIP archives, one of which contains a payload for StealC V2 and the other a secondary Python-based stealer.
The activity shares tactical similarities with an earlier campaign linked to Russian-speaking threat actors, including the use of decoy documents, evasive techniques and background execution of malware, Morphisec said. The company also noted the attackers’ use of impersonation and targeted communities in prior operations.
Morphisec said the updated StealC V2, first announced in late April 2025, supports a broad set of data-extraction features, including harvesting information from 23 browsers, about 100 web plugins and extensions, 15 cryptocurrency wallet apps, messaging services, VPNs and email clients.
Morphisec advised keeping Blender’s Auto Run disabled unless a file’s source is trusted and warned that attackers exploit Blender installations on physical machines with GPUs to evade sandboxing and virtual environments.