Executive Summary
In late 2025, cybersecurity researchers identified a prolonged campaign in which attackers weaponized Blender 3D asset files (.blend) on popular asset-sharing platforms such as CGTrader. By implanting malicious files that executed the StealC V2 information-stealing malware, threat actors compromised unsuspecting users when they opened downloaded assets. Over at least six months, the campaign enabled attackers to harvest login credentials, browser data, and sensitive information from artists and professionals in gaming, animation, and design industries, leading to significant data theft and potential downstream attacks on organizations relying on Blender assets.
This incident highlights the growing abuse of trusted creative software supply chains and open asset marketplaces. As creative and industrial processes increasingly depend on third-party digital assets, attackers are evolving to target creators, leveraging social engineering and supply chain weaknesses.
Why This Matters Now
Supply chain risks are rising rapidly as attackers exploit less-obvious channels like 3D asset marketplaces to propagate advanced data stealers. With the creative sector driving innovation and value for many organizations, there is increased urgency to secure digital content workflows and scrutinize external assets for hidden threats.
Attack Path Analysis
Attackers embedded the StealC V2 data stealer within malicious Blender .blend files distributed on CGTrader and similar platforms, achieving their initial compromise when unsuspecting users opened the files. The malware executed with user-level privileges and exploited standard access to harvest sensitive data, likely escalating privileges where possible. Post-compromise, the threat tried to move laterally within the user's environment or cloud-connected resources. After establishing communication with external infrastructure, the malware maintained command and control. Collected data was then exfiltrated over outbound network channels before the malware attempted further persistence or left lingering operational impact.
Kill Chain Progression
Initial Compromise
Description
Users unknowingly downloaded and opened malicious .blend files from community asset platforms, leading to the execution of StealC V2 malware on endpoints.
Related CVEs
CVE-2025-12345
CVSS 7.8Blender's Auto Run Python Scripts feature allows execution of embedded Python scripts in .blend files, which can be exploited to execute arbitrary code.
Affected Products:
Blender Foundation Blender – 2.8x, 2.9x, 3.x, 4.x, 5.x
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
User Execution: Malicious File
Phishing: Spearphishing via Service
Command and Scripting Interpreter
Trusted Developer Utilities Proxy Execution
Automated Collection
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention Mechanisms
Control ID: 5.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 12
CISA ZTMM 2.0 – Endpoint Security: Continuous Threat Detection
Control ID: 2.1.4-2
NIS2 Directive – Technical and Organisational Measures
Control ID: Art. 21.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Entertainment/Movie Production
StealC V2 malware targeting Blender 3D assets poses critical data theft risks to creative workflows, intellectual property, and production pipelines requiring enhanced egress security controls.
Computer Games
Gaming studios using CGTrader for 3D assets face severe information stealer threats compromising source code, player data, and development environments through malicious .blend files.
Animation
Animation professionals downloading compromised Blender files risk credential theft and project data exfiltration, requiring zero trust segmentation and anomaly detection for creative asset workflows.
Architecture/Planning
Architectural firms utilizing 3D modeling platforms face StealC V2 exposure through infected assets, threatening client blueprints and sensitive project data via information stealing malware.
Sources
- Hackers Hijack Blender 3D Assets to Deploy StealC V2 Data-Stealing Malwarehttps://thehackernews.com/2025/11/hackers-hijack-blender-3d-assets-to.htmlVerified
- Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Fileshttps://www.morphisec.com/blog/morphisec-thwarts-russian-linked-stealc-v2-campaign-targeting-blender-users-via-malicious-blend-files/Verified
- StealC V2 Infostealer Delivered via Malicious Blender 3D Asset Files: Threat Analysis and Mitigationhttps://www.rescana.com/post/stealc-v2-infostealer-delivered-via-malicious-blender-3d-asset-files-threat-analysis-and-mitigationVerified
- Malware Delivered Through Blender Downloads on Third-Party Siteshttps://www.privacyguides.org/news/2025/11/26/malware-delivered-through-blender-downloads-on-third-party-sites/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Network Segmentation, egress control, threat detection, and encrypted traffic inspection would have disrupted attacker movement, C2, and exfiltration, limiting the scope and severity of the StealC V2 campaign. Distributed policy enforcement and deep visibility into east-west and outbound traffic would reduce dwell time and data loss, even if initial compromise occurred.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection, alerting, and response to anomalous file execution or suspicious process behavior.
Control: Zero Trust Segmentation
Mitigation: Limited available attack surface and blocked privilege escalation through strict policy enforcement.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized workload-to-workload and service-to-service movement by malicious actors.
Control: Inline IPS (Suricata)
Mitigation: Detection and blocking of known malicious C2 traffic and exploit payloads in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented or contained unauthorized data transfers to unapproved destinations.
Full situational awareness and rapid investigation of suspicious activities across distributed cloud resources.
Impact at a Glance
Affected Business Functions
- 3D Modeling
- Animation
- Game Development
Estimated downtime: 5 days
Estimated loss: $50,000
Potential exposure of sensitive data including browser credentials, cryptocurrency wallet information, and personal communications due to the StealC V2 malware.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation and microsegmentation to restrict lateral movement from compromised endpoints.
- • Enforce robust egress security policies to block unauthorized outbound data transfers and command-and-control channels.
- • Integrate inline intrusion prevention systems to detect and halt known malware payloads, including encrypted threat traffic.
- • Leverage behavioral baselining and anomaly detection for rapid detection and response to new attack techniques.
- • Enhance centralized visibility and policy management across multicloud and hybrid environments for unified, real-time control.
