Hackers exploit 3D design software to target game developers, animators

Russia-linked hackers are exploiting 3D design tools to infect animators, game developers and visual effects studios with information-stealing malware, according to new research.

Israel-based cybersecurity firm Morphisec said in a report this week that it had blocked several campaigns over the past six months in which attackers used Blender project files to deliver the StealC V2 infostealer. Blender is a widely used open-source 3D design program.

The attackers relied on malicious files posted on platforms such as CGTrader, an online marketplace for 3D models. Unsuspecting designers, animators and developers downloaded the malicious files, which were engineered to execute hidden Python scripts as soon as they were opened in Blender.

First advertised on dark-web forums in early 2023 for about $200 a month, StealC is used by criminal groups to steal browser data, target desktop crypto wallets and compromise messaging apps, VPN clients and web plugins. Its code avoids infecting computers with language set to Russian, Ukrainian, Belarusian or Kazakh — a pattern often seen in Russian cyber operations — and it is typically deployed against victims in North America, Western Europe and parts of Asia.

Morphisec said the issue stems from how Blender handles its .blend project files. Attackers can embed Python scripts inside them, and because Blender can automatically run certain scripts when a file opens, a malicious file can execute harmful code as soon as a user clicks on it.

While Blender files have been abused before, Morphisec said this is the first time such activity has been linked to StealC or to patterns associated with Russian-speaking threat actors.

The firm has not attributed the operation to a specific group but said the campaign appeared similar to past activity in which attackers impersonated the digital rights group Electronic Frontier Foundation to target gaming communities using StealC V2 and Pyramid C2 infrastructure.