Skip to main content
CybersecurityMalware & Ransomware

Hackers Hijack Blender Assets: Exclusive StealC V2 Threat

Hackers Hijack Blender Assets: Exclusive StealC V2 Threat

“I opened what I thought was a legitimate Blender asset and within moments my credentials were gone.” That admission — common among victims of commodity infostealers — now has a new twist: attackers are weaponizing .blend files themselves, hiding an information stealer called StealC V2 inside seemingly innocuous 3D assets distributed on public marketplaces.

Researchers at Morphisec disclosed this campaign and shared details with The Hacker News, saying the operation has been active for at least six months and that adversaries have been embedding malicious .blend files on platforms such as CGTrader to trick artists and designers into running them, thereby triggering credential theft and token exfiltration, according to Morphisec researcher Shmuel Uzan and the vendor’s report shared with the outlet .

Background: infostealers and the rise of commodity malware

Infostealers are not new. Families like StealC have long harvested browser cookies, saved passwords, autofill data and authentication tokens, then monetized that haul on fraud markets. What is new is the delivery vector. Where phishing emails, trojanized installers, and malicious macros once dominated, attackers increasingly weaponize trusted file formats and distribution channels that lower suspicion and increase click-through rates. The recent campaign repackages that playbook into the creative tools ecosystem, leveraging the trust users place in marketplaces that host 3D assets and templates .

What the campaign looks like

  • Adversaries create or modify .blend (Blender) files and upload them to public asset marketplaces.
  • These files appear legitimate to artists and studios searching for models, textures, or scenes, and are downloaded and opened in Blender — a widely used 3D creation suite.
  • Upon opening, the malicious asset executes scripts or triggers behaviors that deploy StealC V2, which harvests credentials, session tokens and other sensitive artifacts from the host machine.
  • Attackers then exfiltrate the collected data to command-and-control servers, where it can be sold or used for account takeover and fraud.

Why this matters — for technologists, users and policymakers

For defenders, the campaign highlights a simple truth: attackers will weaponize whichever channel users trust. Marketplace moderation and file scanning are necessary but insufficient. Signature-based defenses struggle when actors tweak binaries or employ packing and obfuscation; behavior-based detection and application allowlisting are more resilient but require operational maturity to deploy broadly .

For creative professionals and hobbyists, the risk is immediate and subtle. A downloaded .blend file is normally benign and trusted; that trust is what the attacker exploits. Artists who use shared assets — often under time pressure and with little security tooling on their workstations — are a convenient target. The loss of credentials or cookies can lead to account takeover across email, financial services, cloud storage and creative marketplaces themselves.

For policymakers and platform operators, the incident raises policy and ecosystem questions. Marketplaces could tighten upload verification, implement firmer sandboxing of preview/render pipelines, and improve user-facing warnings about executing embedded scripts. Regulators and industry groups might also consider standards for secure file-handling practices and clearer notification requirements when a platform becomes aware that distributed content is malicious. The underlying economic incentives — low cost of entry for attackers and high resale value for stolen credentials — mean technical fixes alone will not close the problem; policy and market-level mitigations are required as part of a layered defense strategy .

Practical mitigation steps

  • Exercise caution with third-party assets: verify authorship and prefer assets from established, trusted vendors.
  • Do not run or enable embedded scripts in files unless you can inspect them in a safe environment first; disable auto-execution where possible.
  • Harden workstations: use application allowlisting, restrict permissions to install software, and deploy behavior-based endpoint detection tuned to credential-exfiltration patterns.
  • Adopt phishing-resistant multi-factor authentication (FIDO2 or hardware keys) to reduce the value of stolen credentials.
  • Platforms should strengthen upload checks, make official communication channels harder to spoof, and provide clearer guidance on what legitimate remediation looks like to end users.

Perspectives from across the field

Security vendors stress speed and sharing. Rapid weaponization compresses the defenders’ detection window: what used to require months of iteration can now be reproduced and scaled in days. That makes coordinated reporting and fast blocking essential tools in the ecosystem’s response toolkit .

Market operators face a trade-off between open accessibility and safety. Open marketplaces thrive on low friction and a large contributor base; additional verification and sandboxing add cost and friction, but without them attackers enjoy an inexpensive vector to reach targets. Users, especially small studios and freelancers, pay the price for that imbalance.

Adversaries, for their part, are pragmatic. Commodity infostealers like StealC are low-cost, high-return tools. Embedding them in trusted creative files is simply another step in the adversary playbook: exploit trust, scale distribution, and monetize at the other end.

Conclusion

The hijacking of Blender assets to deliver StealC V2 is a reminder that security is as much about context and trust as it is about code. When the files we open daily become the attack surface, the line between harmless creativity and compromise blurs. Platforms, defenders and users must reconsider how trusted content is validated and executed — or accept that convenience will keep providing attackers with an efficient way into accounts and organizations. How many more trusted file types will attackers turn into weapons before the ecosystem accepts that openness without safeguards is an invitation?

Source: https://thehackernews.com/2025/11/hackers-hijack-blender-3d-assets-to.html