A new campaign linked to Russian threat actors is distributing the StealC V2 information-stealing malware by hiding it within malicious files for the Blender 3D creation suite. These corrupted .blend files are uploaded to online marketplaces like CGTrader, where they appear to be legitimate 3D models. When a user opens one of these files with Blender's "Auto Run Python Scripts" feature enabled, embedded malicious code is automatically executed.
This script fetches a malware loader from a Cloudflare Workers domain, which in turn downloads a PowerShell script. The final stage retrieves and deploys two payloads: the primary StealC infostealer and a secondary Python-based stealer for redundancy. The malware establishes persistence by placing LNK files in the Windows Startup directory.
The latest version of StealC is a highly capable infostealer, targeting over 23 browsers, more than 100 cryptocurrency wallet extensions, and various communication apps like Telegram and Discord. Despite being a known malware family since 2023, this specific variant was undetected by all antivirus engines on VirusTotal at the time of analysis. Because 3D marketplaces cannot scan the code within model files, users are strongly advised to disable the auto-execution feature in Blender's preferences and treat downloaded 3D assets with the same caution as executable files, only trusting sources with a proven record.
Read more...