For years, security analysts focused on malicious .py, .exe, or macro-enabled docs — but attackers have quietly shifted to new creative containers. One of the latest abused formats? Blender’s .blend files.

These files aren’t just 3D models anymore. Threat actors recently weaponized them by embedding PowerShell payloads, turning digital art assets into stealthy delivery mechanisms for full system compromise.

🎭 How the Attack Works — Step by Step

1️⃣ Malicious Script Embedded Inside the .blend File

Attackers hide PowerShell code inside Blender text blocks, drivers, handlers, or startup scripts that run automatically when the file is opened.

2️⃣ Payload Executes When the File Is Opened

When a user opens the .blend file, the embedded PowerShell script triggers silently — no alerts, no warnings.

3️⃣ Calls Out to Remote Server

The script attempts to:

• Connect to an external command-and-control domain

• Download a ZIP payload

• Extract multiple malicious components to temp folders

4️⃣ Establishes Persistence

The attack deploys multiple persistence techniques, including:

• Dropping .lnk shortcut files

• Copying executables/scripts into the Startup folder

• Creating disguised temp files with random names

• Planting auto-run entries the user rarely notices

5️⃣ Anti-Forensics Techniques

To stay hidden, the script:

• Clears PowerShell execution history

• Removes temporary evidence

• Suppresses console windows

• Blocks error messages to avoid suspicion
  

🧩 MITRE ATT&CK Mapping — Tactics & Techniques Used

Initial Access

• T1193 Spearphishing Attachment: Malicious .blend files shared as project assets

• T1204.002 User Execution: Victim opens the booby-trapped Blender file

Execution

• T1059.001 PowerShell: Embedded script automatically launches

• T1059.006 Script Execution inside application environments

Persistence

• T1547.001 Startup Folder: Dropping files into the Windows Startup directory

• T1547.009 Shortcut Modification (.lnk)

• T1053 Scheduled Tasks (in some variants)

Defense Evasion

• T1070.003 Clearing PS history

• T1027 Obfuscated/Encrypted scripts

• T1140 Deobfuscation of hidden code inside blend blocks

Discovery

• Checking system paths, permissions, OS version

Command & Control

• T1071 Web-based C2: HTTP/HTTPS outbound calls

• T1105 Ingress Tool Transfer: Downloading zip payloads

Impact

• Deployment of secondary payloads

• Installation of spyware, stealers, or RATs

• Forced persistence for long-term access
  

🔥 Why These Attacks Work

• Artists, designers, and dev teams don’t expect 3D asset files to be harmful.

• Security tools don’t inspect .blend internal text fields or automation scripts.

• Users often run Blender with elevated permissions.

• Blend files can store Python, shell commands, and event triggers — perfect for injection.

Attackers exploit the trust around creative assets and collaboration workflows.

🛡️ How to Protect Yourself and Your Team

1️⃣ Strong User Awareness

• Train designers, VFX teams, and 3D artists to treat .blend files like executables.

• Teach users never to open untrusted or leaked Blender assets.

2️⃣ Secure Asset Repositories

• Enforce file integrity checks

• Flag unexpected script blocks inside .blend files

• Quarantine suspicious assets before use

3️⃣ Monitor Script Execution

• Alert when Blender spawns PowerShell or CMD

• Detect unusual ZIP downloads, extraction, or .lnk creation

• Track unexpected writes to Startup folders

4️⃣ Revoke Elevated Permissions

• Don’t allow Blender to run with admin privileges

• Restrict PowerShell to Constrained Mode for non-admin creatives

• Enforce application whitelisting for critical workstations

5️⃣ Endpoint Hardening

• Block outbound connections from non-development machines

• Enable logging for PowerShell, Sysmon, and script-based execution

• Apply tamper-resistant security controls

6️⃣ Incident Response Ready

If a suspicious .blend file is opened:

• Isolate the endpoint

• Sweep startup folders, temp directories, and scheduled tasks

• Reset credentials and audit all outbound connections
  

✨ Final Thoughts

Attackers are evolving — and so must we. As creative tools grow more powerful, they also become unexpected attack surfaces. A simple .blend file can now act as a fully automated malware launcher.

Protect your artists. Protect your pipeline. Protect your systems. Because cyber-threats aren’t just coming from code — they’re hiding in the art.