- Russian hackers exploit Blender’s Auto Run feature to deliver StealC infostealer via .blend files
- Malware deployed through CGTrader assets, pulling payloads from Cloudflare Workers domains
- StealC variant targets browsers, crypto wallets, chat apps, and VPN clients undetected
Blender has a convenient but risky feature which experts have found is being exploited by Russian hackers to deliver infostealer malware.
Cybersecurity researchers Morphisec observed the attacks in the wild and urged designers and other professionals to be vigilant.
Blender is a widely used open source 3D creation suite popular among artists, animators, game developers, and studios for everything from modeling and rendering to visual effects. There is also CGTrader, a marketplace where 3D artists and designers can buy, sell, and share user-generated models and assets for their projects.
Significant impact
Now, Morphisec says it saw Russia-linked cybercriminals upload .blend files with embedded Python code onto CGTrader.
The code pulls a malware loader from a Cloudflare Workers domain which, in turn, pulls two ZIP archives. These deploy two payloads, including a StealC infostealer and an auxiliary Python stealer, likely as a fallback.
Obviously, the Python code needs to be triggered. That is where the “convenient, but risky” feature comes in. It is called Auto Run, and if it is enabled, when a user opens a character rig, the script automatically loads the facial controls and custom UI panels and, consequently, triggers the malware deployment process.
StealC is a popular infostealer that’s been around for years and was observed in numerous high-profile campaigns. It is also constantly in development, with newer versions getting better at persistence, stealth, and infostealing capabilities.
This latest variant, used in this campaign, can pull data from more than 20 browsers, more than 100 cryptocurrency wallet browser extensions, more than 15 cryptocurrency wallet apps, the majority of chat apps, as well as VPN clients.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/bLTg6GBXmrv6c5v7AJFPsT-1980-80.jpg
Source link
