Russian-Linked StealC V2 Campaign Using Trusted Creative Platforms to Evade Detection: What You Need to Know
Cybercriminals have historically targeted IT systems. But now, they’re targeting something far more valuable: creativity, innovation, and design workflows.
Morphisec Threat Labs recently uncovered and prevented a sophisticated Russian-linked StealC V2 malware campaign that weaponized Blender .blend files, a file type commonly used by 3D designers, gaming studios, engineering teams, creative agencies, product development, and animation professionals.
Attackers embedded malicious Python scripts inside 3D model files hosted on legitimate platforms like CGTrader. When opened in Blender with Auto Run Python Scripts enabled, these files quietly executed a loader that deployed StealC V2, gaining access to:
- Browser credentials
- VPN and corporate logins
- Crypto wallets and extensions
- Cloud accounts and MFA tokens
- Messaging and email platforms
This marks a major shift in how and where cyberattacks are launched, from IT to innovation ecosystems.
The New Reality: Creative Tools Are Becoming Attack Surfaces
Attackers now exploit the trust placed in design tools, creative assets, community marketplaces, and collaboration workflows, all areas that have been historically overlooked by cybersecurity programs.
Here’s how they’re doing it:
| Business Risk | What It Means |
| Expansion of Attack Surface | Designers, engineers, R&D, marketing, and product development teams are now high-risk targets. |
| Exploitation of Trusted Tools | Platforms like Blender, Unity, GitHub, Adobe, and Figma become silent malware delivery channels. |
| AI-Assisted Attack Evolution | StealC V2 uses modular payloads and Pyramid C2 infrastructure to rapidly adapt and evade tools. |
| Credential Theft Fuels Ransomware | These campaigns start not with encryption—but with invisible credential theft. |
| EDR & AV Blind Spots | Memory-based, fileless malware bypasses signature and behavior-dependent tools. |
Key Takeaways for CEOs, CIOs & CISOs
- Cyber Risk Is Expanding Beyond Traditional IT — Attackers are targeting media production, product design, engineering, architectural visualization, gaming, and 3D modeling sectors — exploiting creative plugins, embedded scripts, and automated execution features.
- Trusted Design Platforms Are Now Cyber Entry Points — Blender, Unity, Unreal Engine, AutoDesk, Adobe Creative Cloud, Figma, and Miro allow embedded scripting or plugin execution, making them ideal delivery channels for malware.
- The First Stage of Ransomware Is No Longer Encryption, It’s Theft — StealC V2 is engineered to extract credentials, harvest cloud logins, evade MFA, and create persistent backdoor access, all before ransomware ever detonates.
These credentials enable silent infiltration for weeks or months without triggering alerts. Traditional EDR, AV, and XDR tools struggle to detect these attacks. StealC runs entirely in memory, uses legitimate scripting tools (PowerShell, Python), and never drops an executable file, leaving no trace for signature-based or behavioral tools to detect.
How Morphisec Stops These Attacks Before Execution
Morphisec’s prevention-first anti-ransomware platform uses Automated Moving Target Defense (AMTD) to stop StealC and similar threats before they execute, eliminating the possibility of credential theft, C2 communication, or ransomware staging.
Here’s how it works:
| Morphisec Advantage | What It Prevents |
| Decoy credentials in memory | Credential theft and lateral movement |
| Memory-based deception | Reflective and fileless loaders |
| Deterministic pre-execution blocking | Malware stopped before it runs |
| No alert fatigue | No dwell time, triage, or SOC overhead |
| Zero disruption | No sandboxing, isolation, or scanning delays |
Why Business Leaders Should Care
This class of attack represents more than a cyber threat — it’s a business risk that impacts:
- Intellectual property, design data, and digital assets
- Product development, R&D, and creative production workflows
- Cloud and supply chain integrity
- Brand trust and digital reputation
- M&A cybersecurity risk assessments
- Regulatory and insurance compliance (SOX, SOC2, NIST, HIPAA, GDPR)
To keep pace with today’s stealthy, credential-driven campaigns, CISOs and CIOs must rethink where cyber risk lives, how it moves, and when it should be stopped — before execution, and before it becomes a business event.
Here are several strategic actions security leadership can take to address these threats:
| Leadership Priority | Recommended Action |
| Expand cyber risk mapping | Include creative, design, R&D, and engineering workflows |
| Assume credential theft is stage one | Treat infostealers as ransomware preparation |
| Move beyond detection-first defenses | Adopt deterministic, pre-execution prevention |
| Protect high-risk roles | Secure designers, architects, 3D modelers, video editors, R&D |
| Test security stack limitations | Confirm whether existing tools stop fileless loaders |
We’ve condensed this research into a 2-page executive summary built for CEOs, CIOs, CISOs, and security risk leaders. It’s the perfect guide for internal strategy conversations, board updates, and leadership briefings.
Download your copy and learn how your team can proactively defend against evasive and sophisticated threats.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
