Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Blender malicious .blend file campaign delivering StealC V2

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A six-month malicious-file campaign is abusing Blender .blend files on CGTrader to execute embedded scripts and deliver StealC V2, putting 3D asset downloaders at risk of credential theft. Victims open the files in Blender with Auto Run enabled, which triggers a Rig_Ui.py script and a PowerShell downloader. The chain drops two ZIP archives, one carrying StealC V2 and another a secondary Python-based stealer, showing a sustained delivery operation.

Related Happenings

Russian-linked StealC V2 Blender marketplace delivery campaign

Campaign
First: 25.11.2025 00:00 Last: 25.11.2025 00:00 Sources 1

About this happening: A **Russian-linked campaign** is distributing **StealC V2** through malicious **.blend files** on **3D model marketplaces** and putting **Blender users** at risk of credential the...

Open Happening

StealC V2 weaponized Blender asset delivery

Malware Activity
First: 24.11.2025 16:00 Last: 24.11.2025 16:00 Sources 1

How related: While one of the ZIP files contains a payload for StealC V2, the second archive deploys a secondary Python-based stealer on the compromised host.

About this happening: The **StealC V2** malware is being spread through manipulated **Blender .blend** files, creating a new delivery path that can compromise users who open routine 3D assets. If **Aut...

Open Happening

AkdoorTea backdoor delivered through Windows batch-script ZIP chain

Malware Activity
First: 25.09.2025 16:14 Last: 25.09.2025 16:14 Sources 1

About this happening: The newly documented **AkdoorTea** backdoor is being delivered through a **Windows batch script**, expanding the malware toolkit used against targeted developers. The delivery cha...

Open Happening

StealC FileFix phishing delivery chain

Malware Activity
First: 16.09.2025 15:33 Last: 16.09.2025 15:33 Sources 1

About this happening: The **StealC** malware is being delivered through a **FileFix** phishing chain that can execute malicious code on **Windows** victims. The lure uses a convincing multilingual fake...

Open Happening

Timeline

  1. 25.11.2025 13:28 2 articles · 6mo ago

    Malicious Blender .blend file campaign delivers StealC V2

    Initial Disclosure

    Cybersecurity researchers disclosed a campaign targeting people downloading 3D model files from CGTrader and other free 3D asset sites, where malicious .blend files execute embedded Python scripts in Blender when Auto Run is enabled and then fetch a PowerShell downloader that drops ZIP archives containing StealC V2 and a secondary Python-based stealer. The operation has been active for at least six months and shares tactical similarities with a prior campaign linked to Russian-speaking threat actors that impersonated the Electronic Frontier Foundation (EFF) to target the online gaming community with StealC and Pyramid C2.

    Show sources
    Open in new tab