Find notable cyber news and cases, enriched with sources, timelines, and signals.

Russian-linked StealC V2 Blender marketplace delivery campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

A Russian-linked campaign is distributing StealC V2 through malicious .blend files on 3D model marketplaces and putting Blender users at risk of credential theft. The operation abuses Blender's Auto Run feature and embedded Python code to pull a loader, PowerShell, and ZIP payloads that stage the stealer. The latest variant expands coverage to 23+ browsers, 100+ cryptocurrency wallet browser extensions, and 15+ wallet apps, raising the odds of account and wallet compromise.

Related Happenings

Rust-based clipboard hijacker that swaps wallet addresses

Malware Activity
H score10 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...

OnyxC2 developers commercialize stealer as tiered MaaS with support

Threat Actor Meta
H score23 First: 11.06.2026 16:00 Last: 11.06.2026 16:00 Sources 1

About this happening: **OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
H score21 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...

Blender malicious .blend file campaign delivering StealC V2

Campaign
H score35 First: 25.11.2025 13:28 Last: 25.11.2025 13:28 Sources 1

About this happening: A **six-month** malicious-file campaign is abusing **Blender .blend files** on **CGTrader** to execute embedded scripts and deliver **StealC V2**, putting 3D asset downloaders at...

StealC V2 weaponized Blender asset delivery

Malware Activity
H score30 First: 24.11.2025 16:00 Last: 24.11.2025 16:00 Sources 1

How related: A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.

About this happening: The **StealC V2** malware is being spread through manipulated **Blender .blend** files, creating a new delivery path that can compromise users who open routine 3D assets. If **Aut...

Timeline

  1. 25.11.2025 00:00 2 articles · 7mo ago

    Russian-linked campaign delivers StealC V2 through malicious Blender files

    Initial Disclosure

    Morphisec observed a Russian-linked campaign delivering StealC V2 through malicious .blend files uploaded to 3D model marketplaces like CGTrader by abusing Blender's Auto Run and embedded Python code. The delivery chain uses a Cloudflare Workers domain to fetch a malware loader, then a PowerShell script that retrieves the ZIP archives ZalypaGyliveraV1 and BLENDERX from attacker-controlled IPs, drops LNK files in the Startup directory for persistence, and installs StealC plus an auxiliary Python stealer. The latest StealC variant expands exfiltration to 23+ browsers, 100+ cryptocurrency wallet browser extensions, 15+ cryptocurrency wallet apps, Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and Thunderbird, and Morphisec says no security engine on VirusTotal detected the analyzed sample.

    Show sources