Threat Research

Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files

Morphisec
Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files

Morphisec discovered a sustained campaign that weaponizes Blender .blend files hosted on 3D asset sites to run embedded Python scripts which chain into PowerShell stages and download StealC V2 components. The operation uses decoy documents, Pyramid C2 with ChaCha20-encrypted payloads, and persistence via hidden LNK files, linking the campaign to previously observed Russian-speaking activity. #StealC #Blender

Keypoints

  • Attackers upload malicious .blend files to free 3D asset marketplaces (e.g., CGTrader) that execute embedded Python when opened with Blender Auto Run enabled.
  • The initial .blend (SHA256: c62e094c…) runs a Rig_Ui.py script that fetches a loader and triggers a PowerShell stage delivering staged ZIP archives containing StealC V2 components.
  • Downloaded archives (e.g., BLENDERX.zip, ZalypaGyliveraV1.zip) extract to %TEMP% and use hidden LNK shortcuts copied to the Startup folder for persistence.
  • Pyramid C2 cradles serve ChaCha20‑encrypted payloads from multiple worker.dev subdomains and IPs (e.g., 91.92.243[.]87) to deliver the stealer and auxiliary modules.
  • StealC V2 is an evolved commercial infostealer with broad browser, wallet, plugin, and messaging app support, low VirusTotal detection rates, and an updated UAC bypass.
  • Morphisec’s prevention platform intercepted the attack early by injecting decoy credentials into memory and terminating processes before exfiltration or persistence could occur.

MITRE Techniques

  • [T1204.002 ] Malicious File – Attackers weaponize .blend files to get users to execute embedded scripts upon opening. (‘Users unknowingly download these 3D model files, which are designed to execute embedded Python scripts upon opening in Blender’)
  • [T1059.006 ] Python – Embedded Python scripts in the .blend run to fetch additional stages and loaders. (‘ability to embed Python scripts in .blend file in bpy.data.texts field’)
  • [T1059.001 ] PowerShell – The embedded scripts launch a PowerShell stage that downloads PS1 scripts and archives. (‘PowerShell Stage: Downloads a PS1 script (SHA256: B95F39B3C110D5FC7E89E50209C560FE7077B9B66A5FC31065F0C17C7F06EE83)’)
  • [T1105 ] Ingress Tool Transfer – Attackers retrieve ZIP archives and auxiliary files over HTTP(S) to deliver the stealer and Python env. (‘The PS1 fetches two archives from domains like: hxxp://178.16.53[.]64/… hxxp://91.92.243[.]91/…ZalypaGyliveraV1.zip: Contains a Python environment with StealC’)
  • [T1547.001 ] Boot or Logon Autostart Execution – LNK shortcuts are executed hidden and copied to the Windows Startup folder to maintain persistence. (‘LNK files (e.g., ZalypaGyliveraV1.lnk … ) are executed hidden and copied to %APPDATA%MicrosoftWindowsStart MenuProgramsStartup for persistence.’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Pyramid C2 cradles communicate over HTTP(S) endpoints to retrieve encrypted payloads and commands. (‘Pyramid cradle from URLs like hxxp://91.92.243[.]87:443/login/3keXipGb5Rr+gpGO9CjsSfdz+of’)
  • [T1573 ] Encrypted Channel – Payloads and C2 exchanges use ChaCha20 encryption to protect communications and payload contents. (‘Python scripts download encrypted payloads (ChaCha20) via Pyramid cradle’)
  • [T1497 ] Virtualization/Sandbox Evasion – Campaign leverages Blender files that typically run on physical machines with GPUs to bypass sandbox/VM detection. (‘Attackers exploit Blender that typically runs on physical machines with GPUs, bypassing sandboxes and virtual environments.’)
  • [T1555.003 ] Credentials from Web Browsers – StealC V2 targets credentials in a wide range of browsers and performs server-side decryption of stored credentials. (‘Support for more than 23 browsers (e.g. Chromium, Firefox, Opera, Brave, …) – Server-side decryption of credentials for most browsers.’)
  • [T1036 ] Masquerading – The operation used impersonation (e.g., EFF) and decoy content to lure specific victim groups. (‘impersonation of the Electronic Frontier Foundation (EFF) to target Albion Online players with StealC v2 and Pyramid C2 infrastructure’)
  • [T1548.002 ] Bypass User Account Control – The threat actor updated StealC V2 to include an improved UAC bypass capability. (‘Updated UAC bypass’)

Indicators of Compromise

  • [IP ] download/C2 infrastructure – 178.16.53[.]64, 91.92.243[.]87, and 7 other related IPs observed serving archives and C2.
  • [URL ] hosting and loader endpoints – https://www.cgtrader[.]com/free-3d-models/character/man/spacesuit-nasa-apollo-11-84ff16e9-8b65-4faa-9b53-8aabb421b98f (malicious .blend hosting), https://blenderxnew[.]tohocaper1979.workers.dev/get-link (loader endpoint), and numerous worker.dev subdomains.
  • [File hash ] primary samples – c62e094cf89f9a2d3b5018fdd5ce30e664d40023b2ace19acc1fd7c6b2347143 (.blend sample), B95F39B3C110D5FC7E89E50209C560FE7077B9B66A5FC31065F0C17C7F06EE83 (PS1), and multiple additional hashes.
  • [Archive name ] dropped payloads – BLENDERX.zip (auxiliary Python stealer), ZalypaGyliveraV1.zip (Python environment with StealC) – examples of staged archives delivered by the campaign.
  • [File name / LNK ] persistence artifacts – ZalypaGyliveraV1.lnk executed hidden and copied to Startup (LNK SHA256: 7B4FC95BE7CA3BDE156FD53D10D05BF8C1A11D36155DC6179C9D4AFDD5E6862F).

Read more: https://www.morphisec.com/blog/morphisec-thwarts-russian-linked-stealc-v2-campaign-targeting-blender-users-via-malicious-blend-files/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint