Overview
- Morphisec reports an ongoing operation active for at least six months that plants manipulated Blender assets on platforms such as CGTrader.
- Opening the files with Auto Run executes an embedded Rig_Ui.py script that pulls a loader, which then fetches a PowerShell stage and two ZIP archives named ZalypaGyliveraV1 and BLENDERX.
- The payloads unpack into the %TEMP% directory, create LNK shortcuts for startup persistence, and communicate with Pyramid-linked command-and-control infrastructure.
- The latest StealC variant targets more than 23 browsers, over 100 wallet extensions, at least 15 wallet apps plus messaging, VPN, and mail clients, with Morphisec noting no VirusTotal detections for the analyzed sample.
- Researchers urge users to disable Blender’s Auto Run and test marketplace downloads in sandboxed environments, while Morphisec says its deception-based controls blocked observed attempts.