3D artists and designers need to stay alert as researchers at Morphisec have uncovered a malware campaign targeting Blender users. Malicious .blend files are being distributed through online marketplaces and carry the StealC V2 infostealer, a sophisticated malware capable of harvesting credentials, cryptocurrency wallets, messaging apps and more.
How the Threat Operates
Blender allows .blend files to include Python scripts to automate tasks such as rigging, rendering or creating custom interfaces. These scripts can be set to run automatically through Blender’s Auto Run Python Scripts preference located in Preference (Blender 3D settings). This feature is designed for workflow efficiency and convenience, particularly when working with complex projects or curated asset packs.
Morphisec’s analysis shows that when an unverified .blend file is opened with Auto Run enabled, the embedded Python script downloads a loader from a remote server. The loader then executes a PowerShell script that retrieves additional payloads, including zipped archives containing StealC V2. The malware ensures persistence via startup shortcuts and can extract sensitive data from a wide range of applications.
It’s important to note that the threat arises only from opening unverified or unknown files. Trusted assets, such as files you create yourself or curated libraries, are safe. For detailed guidance on managing Blender files securely and using preferences safely read about Blender preferences and Python Scripts Autorun.
Why Creative Tools Are Now Targeted
Historically, malware campaigns focused on office documents or installers. The StealC V2 campaign shows that creative workflows are increasingly part of attackers’ strategy. Many designers download assets from marketplaces they trust, and convenient features like Auto Run scripts create a pathway for malware execution. Combined with the processing power of modern 3D workstations, this allows malware to operate stealthily and persistently.
Staying Safe While Using Blender
To reduce risk, artists should verify the source of downloaded assets, test unknown files in sandboxed environments, or use alternative formats such as FBX or GLB that do not rely on scripts.
As a 3D asset provider, we create and review all our models in-house, ensuring quality and safety. Assets are provided in multiple formats for convenience, allowing artists to work efficiently without the risk of embedded scripts.
For more information on the campaign and the technical analysis, visit Morphisec’s detailed report.
The StealC V2 campaign underscores the importance of security awareness in creative workflows. 3D artists should verify sources, rely on curated assets, and apply safe practices when handling Blender files. By combining careful habits with trusted content, artists can continue to work safely and efficiently.