A Russia-linked malware campaign is distributing the StealC V2 information-stealer by hiding malicious Python code inside Blender project files uploaded to popular 3D asset marketplaces such as CGTrader, according to researchers at cybersecurity firm Morphisec.
“A key feature enabling abuse is the ability to embed Python scripts in .blend file in bpy.data.texts field. Scripts like Rig_Ui.py generate user interfaces for character rigs (e.g., facial controls or clothing systems). When Blender’s Preferences → File Paths → Auto Run Python Scripts is enabled, these scripts execute automatically upon file open,” the report explains.
According to researchers, attackers uploaded booby-trapped .blend files designed to appear as legitimate character rigs. When opened, the embedded script connects to a Cloudflare Workers domain to fetch a malware loader. The loader then retrieves a PowerShell script responsible for downloading two ZIP archives, ZalypaGyliveraV1 and BLENDERX, from attacker-controlled servers. The contents unpack into the Windows %TEMP% directory, plant LNK shortcuts in the Startup folder for persistence, and deploy two payloads: the StealC infostealer and a secondary Python-based stealer for redundancy.
The StealC sample used in this campaign is the latest variant of the malware’s second major version. The new release comes with upgraded data-theft capabilities to cover more than 23 web browsers, over 100 cryptocurrency wallet extensions, at least 15 standalone wallet applications, and a wide range of communication and security tools including Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and Thunderbird. The malware also incorporates an improved UAC bypass technique.
Although StealC has been publicly documented since 2023, Morphisec notes that new variants continue to evade detection. The sample analyzed in this campaign was not flagged by a single antivirus engine on VirusTotal.
