Ddos 
Morphisec has issued a critical alert regarding a sophisticated malware campaign targeting 3D artists, game developers, and hobbyists. For at least six months, threat actors have been weaponizing 3D model files on platforms like CGTrader to deliver the notorious StealC V2 infostealer.
Users believing they are downloading legitimate assets—such as a “Spacesuit NASA Apollo 11” model—are instead unknowingly infecting their systems with malware designed to drain their digital lives.
The attack vector exploits a powerful feature within Blender, the popular open-source 3D creation suite: its ability to embed and execute Python scripts.
Legitimate files use scripts like Rig_Ui.py to generate user interfaces for complex character rigs. However, attackers are embedding malicious code into these scripts. If a user has “Auto Run Python Scripts” enabled in their Blender preferences, the malware executes silently in the background the moment the file is opened.
“Users unknowingly download these 3D model files, which are designed to execute embedded Python scripts upon opening in Blender.”
Because Blender typically runs on powerful physical machines with GPUs (to handle rendering), this method effectively bypasses many sandboxes and virtual environments used by security researchers to detect malware.
New evidence links this campaign to Russian-speaking threat actors previously associated with StealC distribution. The tactics mirror an earlier operation that impersonated the Electronic Frontier Foundation (EFF) to target Albion Online players. Both campaigns share distinct fingerprints:
- Use of decoy documents/files.
- Advanced evasion techniques.
- Reliance on Pyramid C2 (Command and Control) infrastructure.
Once a victim opens the compromised .blend file, a multi-stage infection process begins:
- Initial Execution: The embedded Python script runs silently in the background.
- Payload Retrieval: It downloads a PowerShell script, which then fetches two ZIP archives (ZalypaGyliveraV1 and BLENDERX) from attacker-controlled domains.
- Extraction & Persistence: The archives are unzipped to the %TEMP% directory. The malware creates LNK files in the Windows Startup folder to ensure it runs every time the computer boots.
- Execution: The system deploys StealC V2 alongside an auxiliary Python stealer.
First announced in April 2025, StealC V2 is a potent evolution of the original infostealer, sold on underground markets for roughly $200/month. It is designed to harvest a vast array of sensitive data:
- Browsers: Targets 23+ browsers (including Chrome 132+) for cookies, passwords, and history.
- Crypto Wallets: Scans for 15+ desktop wallets.
- Extensions: Compromises over 100 web plugins.
- Apps: Steals data from Discord, Telegram, ProtonVPN, and more.
Notably, many samples of this malware currently show extremely low detection rates on platforms like VirusTotal, making them dangerous even to users with active antivirus software.
The most effective defense against this threat is a simple configuration change within Blender. Keep Auto Run Python Scripts disabled unless you strictly trust the source of the file.
Donate