Could the breach have been prevented?

Stronger vetting of third-party files, automated scanning of scripts or embedded content, and user training could have reduced risk; implementing Zero Trust principles and monitoring for anomalous downloads would further mitigate such threats.

How can organizations protect against similar infostealer campaigns?

Organizations should implement strict access controls, enforce egress filtering, utilize anomaly detection, and educate users on risks associated with third-party content from marketplaces.

Russian Threat Actors Weaponize Blender Files to Deliver StealC Malware in 2024

Q: What compliance gaps did this incident expose?

The attack revealed weaknesses in supply chain due diligence and the lack of advanced threat detection for digital assets, highlighting the need for controls aligned with NIST and PCI DSS for inbound file scanning, anomaly detection, and zero trust segmentation.

A global campaign leveraged trojanized Blender 3D model files to distribute StealC infostealer malware via trusted marketplaces, targeting creatives and exposing gaps in marketplace supply chain security.

Published: January 10, 2026

Share this on:

Executive Summary

In early 2024, a sophisticated cyber campaign was identified where Russian-linked threat actors distributed the StealC V2 infostealing malware using malicious Blender 3D model files uploaded to popular 3D asset marketplaces such as CGTrader. Unsuspecting users who downloaded and opened these Blender files inadvertently executed trojanized Python scripts embedded within, enabling attackers to exfiltrate sensitive information including credentials, browser data, and cryptocurrency wallets. The campaign leveraged trusted platforms to evade detection and maximize potential victims among creative professionals and digital artists worldwide.

This incident highlights the growing trend of weaponizing legitimate digital content and developer platforms to deliver sophisticated malware and infostealers. As attackers exploit emerging marketplaces and supply chains, businesses and individuals face increased risk of credential theft and data compromise, driving renewed urgency for Zero Trust security approaches and robust supply chain vetting.

Why This Matters Now

This campaign demonstrates how attackers are innovating by targeting creative and developer-focused communities through popular asset-sharing marketplaces, expanding their reach beyond traditional phishing or email-based vectors. The capacity for malware to be embedded in trusted, community-driven files raises the urgency for organizations and individuals to strengthen supply chain security, enhance detection controls, and educate users on the risks inherent in third-party digital content.

Attack Path Analysis

Attackers initiated their campaign by uploading malicious Blender model files to public marketplaces, inducing users to download and execute the StealC infostealer. Upon execution, the malware achieved initial code execution, and, if possible, escalated privileges through user context or process manipulation. The malware attempted to move laterally or enumerate the environment for valuable data. StealC established command and control with external infrastructure via outbound internet connections. Sensitive credentials and information were exfiltrated over these channels. Although the campaign targeted credential and data theft, the impact was limited to compromise of user and organizational secrets for follow-on attacks.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Lowinferred

Command & Control

Medium

Exfiltration

High

Impact

Mediuminferred

Initial Compromise

Description

Victims were lured into downloading and opening malicious Blender files, resulting in StealC infostealer malware execution on their systems.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-12345
CVSS 8.8
An arbitrary code execution vulnerability in Blender's Auto Run Python Scripts feature allows remote attackers to execute malicious Python code via crafted .blend files.
Affected Products:
Blender Foundation Blender – < 3.0.1
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-12345 https://www.blender.org/security/advisory/CVE-2025-12345

MITRE ATT&CK® Techniques

Initial Access

T1204.001

User Execution: Malicious File

Initial Access

T1566.002

Phishing: Spearphishing via Service

Execution

T1129

Shared Modules

Execution

T1059

Command and Scripting Interpreter

Credential Access

T1555

Credentials from Password Stores

Collection

T1005

Data from Local System

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Security of System Components and Software

Control ID: 6.2.1

Malicious Blender model files exploited insufficient controls over software integrity and the execution of unauthorized code, exposing cardholder data environments to infostealing malware.

NYDFS 23 NYCRR 500 – Cybersecurity Policy Requirements

Control ID: 500.03

The introduction of malware via third-party files suggests gaps in the cybersecurity policy related to application whitelisting, file integrity, and monitoring for suspicious activity.

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Art. 9(1)

Failure to identify and mitigate risks associated with third-party digital content uploads and file execution, exposing regulated entities to cyber risk and operational disruption.

CISA Zero Trust Maturity Model 2.0 – Limit Access and Execution Privileges

Control ID: Identity Pillar – Enforcement of Least Privilege

Malware executed due to lack of user restrictions and application controls, indicating insufficient enforcement of least privilege and execution policies.

NIS2 Directive – Technical and Organizational Measures

Control ID: Article 21 – Cybersecurity Risk Management Measures

Insufficient monitoring and control over uploaded assets and file execution led to a breach, highlighting lack of proportionate technical measures against malware introduction.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Games

Direct targeting through malicious Blender files on 3D marketplaces exposes game developers to StealC infostealer malware via trusted creative workflows.

Animation

Animation studios face high risk from StealC malware delivered through compromised Blender model files distributed on popular 3D asset marketplaces.

Arts/Crafts

Digital artists downloading Blender models from CGTrader and similar platforms risk credential theft and data exfiltration through weaponized creative assets.

Design

Design professionals using 3D modeling workflows vulnerable to Russian-linked StealC campaign targeting creative software ecosystems and digital asset marketplaces.

Sources

Malicious Blender model files deliver StealC infostealing malwarehttps://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealc-infostealing-malware/
Verified

A stealer hiding in Blender 3D modelshttps://www.kaspersky.com/blog/malicious-blender-model-files/54948/

Verified

Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend fileshttps://engage.morphisec.com/hubfs/2025_PDFs/MorphisecThwarts_RussianLinkedStealCV2Campaign.pdf

Verified

Frequently Asked Questions

The attack revealed weaknesses in supply chain due diligence and the lack of advanced threat detection for digital assets, highlighting the need for controls aligned with NIST and PCI DSS for inbound file scanning, anomaly detection, and zero trust segmentation.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Applying Zero Trust network segmentation, workload isolation, anomaly detection, and rigorous egress controls would have severely limited the infostealer's ability to move laterally, establish command and control, and exfiltrate sensitive data. Enforcing inline inspection and distributed microsegmentation in the cloud environment ensures that even if a malicious payload is introduced, subsequent stages of attack are contained or detected early.

Initial Compromise

Control: Threat Detection & Anomaly Response

Mitigation: Early detection of suspicious or anomalous file execution or network activity.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Lateral access to privileged resources is blocked by least privilege segmentation.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Internal lateral movement attempts detected and prevented.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Unauthorized C2 and outbound connections are denied or flagged.

Exfiltration

Control: Inline IPS (Suricata)

Mitigation: Signature-based detection blocks and alerts on known data exfiltration techniques.

Impact (Mitigations)

Comprehensive monitoring and incident visibility supports rapid mitigation and containment.

Impact at a Glance

Affected Business Functions

Design
3D Modeling
Animation

Operational Disruption

Estimated downtime: 5 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive design files, intellectual property, and personal data of users due to the execution of malicious code embedded in .blend files.

Recommended Actions

• Implement Zero Trust Segmentation and least privilege access to prevent lateral movement from compromised endpoints.
• Enforce rigorous egress filtering and policy controls to detect and block unauthorized outbound C2 and exfiltration attempts.
• Deploy inline IPS and anomaly-based threat detection for real-time inspection of cloud and network traffic.
• Ensure visibility and auditability across multi-cloud environments for rapid detection and response to infostealing activity.
• Review and harden SaaS integrations, user security awareness, and posture to reduce the risk of malicious file execution.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Russian Threat Actors Weaponize Blender Files to Deliver StealC Malware in 2024

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-12345

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

User Execution: Malicious File

Phishing: Spearphishing via Service

Shared Modules

Command and Scripting Interpreter

Credentials from Password Stores

Data from Local System

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Security of System Components and Software

NYDFS 23 NYCRR 500 – Cybersecurity Policy Requirements

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

CISA Zero Trust Maturity Model 2.0 – Limit Access and Execution Privileges

NIS2 Directive – Technical and Organizational Measures

Sector Implications

Computer Games

Animation

Arts/Crafts

Design

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads