Security researchers at Morphisec have identified a malware distribution campaign that uses weaponized Blender 3D files to infect systems with the StealC V2 information-stealing malware. The campaign targets users of Blender, a popular open-source 3D graphics software, by luring them with malicious .blend files.
The threat actors distribute these files on platforms frequented by 3D artists, such as Discord servers. The files are often disguised as leaked versions of paid 3D models to entice users into downloading and opening them. Once a user opens the booby-trapped file, the attack chain is initiated.
Infection Chain via Embedded Python Scripts
The core of the attack lies within the malicious .blend file, which contains an embedded Python script. Blender’s software architecture includes a scripting engine that can automatically execute Python code contained within a project file upon opening. In this campaign, the embedded script is designed to run silently in the background.
This initial script acts as a dropper, connecting to a remote server to download a second-stage payload. The downloaded payload is a .NET loader, which then decrypts and executes the final malware, StealC V2, on the victim’s machine.
StealC V2 Malware Capabilities
StealC V2 is a potent information-stealing malware that emerged after the source code of the original StealC malware was publicly released in 2023. The malware is engineered to exfiltrate a wide range of sensitive data from an infected computer. Its primary functions include stealing information from web browsers, such as passwords, cookies, and credit card details.
Additionally, StealC V2 targets cryptocurrency wallets, messaging applications like Discord and Telegram, and email clients. The malware also possesses the capability to capture screenshots of the victim’s desktop, gathering further sensitive information. Morphisec confirmed that its security solution, Morphisec Scudo, successfully prevents this specific attack chain.
Concise Cyber 