Cybersecurity researchers revealed a new campaign that exploits Blender Foundation files to distribute an information stealer called StealC V2. The operation has been active for at least six months, using malicious .blend files that users download unknowingly from platforms like CGTrader. These files run embedded Python scripts when opened in Blender, particularly if the Auto Run option is enabled. This creates a significant security risk, as it allows arbitrary scripts to execute on the user's system. The attack mirrors a previous campaign associated with Russian-speaking threat actors, which targeted the online gaming community by impersonating the Electronic Frontier Foundation. Both campaigns utilize deceptive documents, evasive techniques, and background malware execution. In this case, the malicious .blend files contain a script that fetches a PowerShell script to download two ZIP archives. One ZIP contains the StealC V2 payload, while the other deploys a secondary Python-based stealer. StealC V2 is capable of extracting data from 23 different browsers, 100 web plugins, 15 cryptocurrency wallet applications, and various messaging services and email clients. Blender has acknowledged the risks associated with the ability to include Python scripts in .blend files, emphasizing the importance of disabling the Auto Run feature unless the file source is trusted. Attackers typically exploit Blender on physical machines with GPUs, which helps them bypass security measures like sandboxes and virtual environments.