Russian-linked StealC V2 Blender marketplace delivery campaign
Campaign
Summary
Hide ▲
Show ▼
A Russian-linked campaign is distributing StealC V2 through malicious .blend files on 3D model marketplaces and putting Blender users at risk of credential theft. The operation abuses Blender's Auto Run feature and embedded Python code to pull a loader, PowerShell, and ZIP payloads that stage the stealer. The latest variant expands coverage to 23+ browsers, 100+ cryptocurrency wallet browser extensions, and 15+ wallet apps, raising the odds of account and wallet compromise.
Related Happenings
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityAbout this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor Meta
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
About this happening:
**OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor MetaAbout this happening: **OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
H score21
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
Blender malicious .blend file campaign delivering StealC V2
Campaign
H score35
First: 25.11.2025 13:28
Last: 25.11.2025 13:28
Sources 1
About this happening:
A **six-month** malicious-file campaign is abusing **Blender .blend files** on **CGTrader** to execute embedded scripts and deliver **StealC V2**, putting 3D asset downloaders at...
Blender malicious .blend file campaign delivering StealC V2
CampaignAbout this happening: A **six-month** malicious-file campaign is abusing **Blender .blend files** on **CGTrader** to execute embedded scripts and deliver **StealC V2**, putting 3D asset downloaders at...
StealC V2 weaponized Blender asset delivery
Malware Activity
H score30
First: 24.11.2025 16:00
Last: 24.11.2025 16:00
Sources 1
How related:
A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.
About this happening:
The **StealC V2** malware is being spread through manipulated **Blender .blend** files, creating a new delivery path that can compromise users who open routine 3D assets. If **Aut...
StealC V2 weaponized Blender asset delivery
Malware ActivityHow related: A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.
About this happening: The **StealC V2** malware is being spread through manipulated **Blender .blend** files, creating a new delivery path that can compromise users who open routine 3D assets. If **Aut...
Timeline
-
25.11.2025 00:00 2 articles · 7mo ago
Russian-linked campaign delivers StealC V2 through malicious Blender files
Initial DisclosureMorphisec observed a Russian-linked campaign delivering StealC V2 through malicious .blend files uploaded to 3D model marketplaces like CGTrader by abusing Blender's Auto Run and embedded Python code. The delivery chain uses a Cloudflare Workers domain to fetch a malware loader, then a PowerShell script that retrieves the ZIP archives ZalypaGyliveraV1 and BLENDERX from attacker-controlled IPs, drops LNK files in the Startup directory for persistence, and installs StealC plus an auxiliary Python stealer. The latest StealC variant expands exfiltration to 23+ browsers, 100+ cryptocurrency wallet browser extensions, 15+ cryptocurrency wallet apps, Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and Thunderbird, and Morphisec says no security engine on VirusTotal detected the analyzed sample.
Show sources
- Malicious Blender model files deliver StealC infostealing malware — www.bleepingcomputer.com — 25.11.2025 00:00
- Malicious Blender model files deliver StealC infostealing malware — www.bleepingcomputer.com — 25.11.2025 00:00