491/68 Wednesday, November 26, 2025
Cybercriminals are spreading the StealC V2 information-stealing malware through malicious Blender model files uploaded to 3D asset marketplaces such as CGTrader. The attackers exploit Blender’s ability to automatically run Python scripts (Auto Run), allowing malicious code to execute immediately when a user opens a .blend file. Many users enable this feature for convenience, unknowingly increasing their exposure to such attacks.
According to research by Morphisec, StealC V2 uses a multi-stage attack chain. The embedded Python script retrieves a malware loader, which then uses PowerShell to download the final payload. The updated version of StealC significantly expands its data-theft capabilities, targeting over 23 web browsers, more than 115 cryptocurrency wallet extensions and applications, as well as Telegram, Discord, and various VPN clients. Although StealC has been active since 2023, the new version includes advanced evasion techniques that allow it to bypass many antivirus solutions.
Blender users are strongly advised to treat third-party 3D model files as if they were executable files, especially those downloaded from online marketplaces. To reduce risk, users should disable the “Auto Run Python Scripts” feature via Blender > Edit > Preferences before opening files from untrusted publishers.
