All news with #stealc tag

Malicious Blender 3D Model Files Spread Infostealer

⚠️ Researchers observed threat actors distributing the StealC V2 infostealer hidden inside free .blend files on marketplaces like CGTrader. When Blender’s Auto Run Python Scripts setting is enabled, opening these models executes embedded Python that fetches a loader via Cloudflare Workers and runs a PowerShell chain to deploy payloads. The campaign exfiltrated browser and wallet data and abused a UAC bypass. Disable autorun and restrict unvetted tools.

Blender .blend Files Weaponized to Deliver StealC V2

🛡️ Cybersecurity researchers disclosed a campaign that leverages Blender .blend files hosted on public asset sites to deliver the information stealer StealC V2. Malicious .blend assets contain embedded Python scripts that execute when Blender's Auto Run is enabled, fetching PowerShell code and two ZIP archives — one deploying StealC V2 and the other a secondary Python stealer. Vendors advise keeping Auto Run disabled and verifying asset sources.

Blender model files used to deliver StealC infostealer

⚠️ Researchers at Morphisec observed a Russian-linked campaign using malicious Blender .blend files uploaded to 3D model marketplaces to deliver the StealC V2 infostealer. The embedded Python in the .blend fetches a loader from a Cloudflare Workers domain, which runs a PowerShell script to download two ZIP archives, unpack them into %TEMP%, drop LNK shortcuts into the Startup folder for persistence, and deploy both the StealC payload and an auxiliary Python stealer. Users are advised to disable Blender's Auto Run for Python scripts and treat downloaded 3D assets like executables, testing unknown files in sandboxed environments.

New FileFix Variant Delivers StealC via Multilingual Phish

🔍 Acronis researchers warn of a campaign using a FileFix variant to deliver the StealC information stealer via a multilingual, heavily obfuscated phishing site. The lure mimics a Facebook security notice and hijacks the clipboard to implant a multi-stage PowerShell command that victims are tricked into executing through File Explorer. Attackers store encoded payload components as images on Bitbucket, decode them locally with a Go-based loader, and ultimately unpack shellcode that launches StealC. The infrastructure uses junk code, fragmentation and other anti-analysis techniques to evade detection and complicate forensic analysis.

FileFix Steganography Attack Drops StealC Infostealer

🛡️ A new FileFix campaign impersonates Meta support to trick users into pasting a disguised PowerShell command into the File Explorer address bar, which then downloads and executes malware. The attackers hide a second-stage script and encrypted binaries inside a seemingly benign JPG hosted on Bitbucket using steganography. The final payload is the StealC infostealer, designed to harvest browser credentials, messaging logins, crypto wallets, cloud keys and more. Security vendor Acronis observed multiple evolving variants over a two-week period and urges user education on these novel ClickFix/FileFix tactics.