Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Russian-linked StealC V2 Blender marketplace delivery campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A Russian-linked campaign is distributing StealC V2 through malicious .blend files on 3D model marketplaces and putting Blender users at risk of credential theft. The operation abuses Blender's Auto Run feature and embedded Python code to pull a loader, PowerShell, and ZIP payloads that stage the stealer. The latest variant expands coverage to 23+ browsers, 100+ cryptocurrency wallet browser extensions, and 15+ wallet apps, raising the odds of account and wallet compromise.

Related Happenings

Blender malicious .blend file campaign delivering StealC V2

Campaign
First: 25.11.2025 13:28 Last: 25.11.2025 13:28 Sources 1

About this happening: A **six-month** malicious-file campaign is abusing **Blender .blend files** on **CGTrader** to execute embedded scripts and deliver **StealC V2**, putting 3D asset downloaders at...

Open Happening

StealC V2 weaponized Blender asset delivery

Malware Activity
First: 24.11.2025 16:00 Last: 24.11.2025 16:00 Sources 1

How related: A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.

About this happening: The **StealC V2** malware is being spread through manipulated **Blender .blend** files, creating a new delivery path that can compromise users who open routine 3D assets. If **Aut...

Open Happening

Kraken ransomware HelloKitty-linked double-extortion campaign

Campaign
First: 14.11.2025 00:53 Last: 14.11.2025 00:53 Sources 1

About this happening: **Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...

Open Happening

AkdoorTea backdoor delivered through Windows batch-script ZIP chain

Malware Activity
First: 25.09.2025 16:14 Last: 25.09.2025 16:14 Sources 1

About this happening: The newly documented **AkdoorTea** backdoor is being delivered through a **Windows batch script**, expanding the malware toolkit used against targeted developers. The delivery cha...

Open Happening

Timeline

  1. 25.11.2025 00:00 2 articles · 6mo ago

    Russian-linked campaign delivers StealC V2 through malicious Blender files

    Initial Disclosure

    Morphisec observed a Russian-linked campaign delivering StealC V2 through malicious .blend files uploaded to 3D model marketplaces like CGTrader by abusing Blender's Auto Run and embedded Python code. The delivery chain uses a Cloudflare Workers domain to fetch a malware loader, then a PowerShell script that retrieves the ZIP archives ZalypaGyliveraV1 and BLENDERX from attacker-controlled IPs, drops LNK files in the Startup directory for persistence, and installs StealC plus an auxiliary Python stealer. The latest StealC variant expands exfiltration to 23+ browsers, 100+ cryptocurrency wallet browser extensions, 15+ cryptocurrency wallet apps, Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and Thunderbird, and Morphisec says no security engine on VirusTotal detected the analyzed sample.

    Show sources
    Open in new tab