- Russian hackers exploit Blender’s autorun feature to deliver stolen StealC information via .blend files
- Malware deployed via CGTrader assets, extracting payloads from Cloudflare Workers domains
- StealC Variant Targets Browsers, Crypto Wallets, Chat Apps, and VPN Clients Without Being Detected
Blender has a convenient but risky feature that experts say is being exploited by Russian hackers to distribute information-stealing malware.
Cybersecurity researchers Morphisec observed the attacks in the wild and urged designers and other professionals to be vigilant.
Blender is an open source 3D creation suite widely used among artists, animators, game developers, and studios for everything from modeling and rendering to visual effects. There is also CGTrader, a marketplace where 3D artists and designers can buy, sell and share user-generated models and assets for their projects.
Significant impact
Now, Morphisec says it saw Russian-linked cybercriminals upload .blend files with embedded Python code to CGTrader.
The code extracts a malware loader from a Cloudflare Workers domain, which in turn extracts two ZIP files. These implement two payloads, including a StealC infostealer and a Python helper stealer, probably as an alternative.
Obviously, you need to activate the Python code. That’s where the “convenient, but risky” feature comes into play. It is called AutoRun and if enabled, when a user opens a character deck, the script automatically loads the custom facial controls and UI panels and consequently triggers the malware deployment process.
StealC is a popular information stealer that has been around for years and was observed in numerous high-profile campaigns. It is also in constant development, with newer versions improving its persistence, stealth, and information theft capabilities.
This latest variant, used in this campaign, can extract data from 20+ browsers, 100+ cryptocurrency wallet browser extensions, 15+ cryptocurrency wallet apps, most chat apps, as well as VPN clients.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
