Cybersecurity researchers have identified a malware campaign where threat actors are distributing the StealC V2 information-stealing malware by hiding it within compromised Blender 3D assets. The discovery was made by security firm ESET, which detailed the unconventional attack vector targeting users of the popular open-source 3D modeling software.

The campaign involves modifying legitimate Blender add-ons to include malicious code. Attackers embed this code within a Python script file (a .py file) that users must execute within Blender to properly use the associated 3D model. Once executed, the script downloads and runs the StealC V2 payload on the victim’s system.

Deceptive Distribution and Execution

The malicious 3D assets were observed being promoted on a pro-Russian Telegram channel. One specific example highlighted by researchers was a 3D model of a Lancet drone, which contained the hidden malware loader. The Python script responsible for the infection was obfuscated to conceal its true function from casual inspection. The attack relies entirely on the user running the malicious script, which is often a required step for using complex 3D assets or add-ons in Blender.

StealC V2 Malware Capabilities

StealC V2 is a known information stealer designed to exfiltrate a wide range of sensitive data from an infected computer. Its targets include information stored in web browsers, such as cookies, passwords, and autofill data. The malware is also engineered to search for and steal data from cryptocurrency wallets. Additionally, StealC V2 is capable of extracting information from files on the desktop and from specific applications, including Discord and Telegram, before sending the stolen data to a command-and-control server operated by the attackers.

Source: https://thehackernews.com/2025/11/hackers-hijack-blender-3d-assets-to.html