3D Models
3D Print Models
3D Scans
Animation & MoCap
Textures
Materials
Skin Reference
2D Game Assets
Sound Effects
Brushes & Tools
Reference Photos
Stock Images
HDR Images
3ds Max
Maya
Blender
Unreal Engine
Unity
ZBrush
Cinema 4D
LightWave
Marmoset
SketchUp
FBX
DAE
DXF
GLB⚠ DAZ vs Blender - one makes characters, the other steals your passwords
202Thread Activity
guy916007 Hours ago
Digital Drapery Co8 Hours ago
Digital Drapery Co8 Hours ago
Darkseal12 Hours ago
Darkseal12 Hours ago
guy9160012 Hours ago
So... Blender users always scream "DAZ is dead" - but guess who is getting malware in their .blend files now?
Hey guys,
I just found something pretty interesting (and kinda evil-funny ngl). Blender artists keep calling us DAZ users "lazy, click-render artists," but turns out some Blender assets out in the wild are literally stealing crypto wallets + browser data
Yep - hackers have started uploading '.blend' files with hidden Python scripts inside. You open the file, auto-run kicks in boom, malware on your PC. Stealing passwords, wallets, browser cookies, chat accounts, all that juicy stuff.
Like bro... Imagine downloading a "free stylized girl model" and losing your Bitcoin for it
---
TL;DR for the RenderHub squad
Malicious '.blend' assets started showing up on marketplaces
They contain embedded scripts & run automatically if Blender Auto-Run is ON
The payload can steal browser data, wallet info, credentials and more
You don't even need to execute anything - opening the file can be enough
We DAZ artists might fight about topology and HD morphs, but at least our content doesn't try to rob people while they're making boobs look shiny
---
So what does this mean for us?
Even if you use Blender for hair cards, simulations, shader baking, whatever - don't trust every random model that looks pretty.
Disable Auto-Run, scan files, don't download from random places, especially if the creator is unknown or posted 4 models in one day like a crypto bot on Redshift.
---
And yes, this is also our chance to tease them a bit
Next time someone says "DAZ is dead", just whisper:
> At least DAZ models don't steal your crypto.
> At worst they steal your heart
If any of you want, we can also make a RenderHub safety checklist for Blender/DAZ pipeline users - clean workflow tips, virus-safe import steps, etc.
Could be useful AND we get to laugh while sharing it.
[The Hacker News – Malicious .blend files delivering StealC malware]
Hey guys,
I just found something pretty interesting (and kinda evil-funny ngl). Blender artists keep calling us DAZ users "lazy, click-render artists," but turns out some Blender assets out in the wild are literally stealing crypto wallets + browser data
Yep - hackers have started uploading '.blend' files with hidden Python scripts inside. You open the file, auto-run kicks in boom, malware on your PC. Stealing passwords, wallets, browser cookies, chat accounts, all that juicy stuff.
Like bro... Imagine downloading a "free stylized girl model" and losing your Bitcoin for it
---
TL;DR for the RenderHub squad
Malicious '.blend' assets started showing up on marketplaces
They contain embedded scripts & run automatically if Blender Auto-Run is ON
The payload can steal browser data, wallet info, credentials and more
You don't even need to execute anything - opening the file can be enough
We DAZ artists might fight about topology and HD morphs, but at least our content doesn't try to rob people while they're making boobs look shiny
---
So what does this mean for us?
Even if you use Blender for hair cards, simulations, shader baking, whatever - don't trust every random model that looks pretty.
Disable Auto-Run, scan files, don't download from random places, especially if the creator is unknown or posted 4 models in one day like a crypto bot on Redshift.
---
And yes, this is also our chance to tease them a bit
Next time someone says "DAZ is dead", just whisper:
> At least DAZ models don't steal your crypto.
> At worst they steal your heart
If any of you want, we can also make a RenderHub safety checklist for Blender/DAZ pipeline users - clean workflow tips, virus-safe import steps, etc.
Could be useful AND we get to laugh while sharing it.
[The Hacker News – Malicious .blend files delivering StealC malware]
! REPORT
Quote: So... Blender users always scream "DAZ is dead"
Clearly you have never even visited any Blender forum.
even the most snobbish Blender users simply dismiss Daz figures a limited because they are not your property
and thus have distribution limitations for game dev and other long term commercial options
thus their mantra learn to model your own
BTW your thread title is misleading
Daz Studio does not "make models"
is loads existing model, of a specific format, made by
Skilled people with modeling ,sculpting,UV mapping skills
using ACTUAL Modeling softwares like ZBrush, Maya and Blender.
FYI it's never really a good look to be gleefully celebrating the potential destruction of any creatives Data or other financial harm caused by cyber criminals
(he said, as he strolls over to update his blocklist)
Clearly you have never even visited any Blender forum.
even the most snobbish Blender users simply dismiss Daz figures a limited because they are not your property
and thus have distribution limitations for game dev and other long term commercial options
thus their mantra learn to model your own
BTW your thread title is misleading
Daz Studio does not "make models"
is loads existing model, of a specific format, made by
Skilled people with modeling ,sculpting,UV mapping skills
using ACTUAL Modeling softwares like ZBrush, Maya and Blender.
FYI it's never really a good look to be gleefully celebrating the potential destruction of any creatives Data or other financial harm caused by cyber criminals
(he said, as he strolls over to update his blocklist)
REPLY
! REPORT
Digital Drapery Co
Karma: 15,021
Wed, Dec 03Oh absolutely my friend - I've been to Blender forums.
A few of them even allowed me to breathe before reminding me that unless I sculpt a female from a cube in under 12 minutes while solving world hunger, I'm not a "real artist."
You're right though - DAZ loads models made by skilled people.
Which is why I don't feel the need to reinvent the femur bone every time I want to render a girl with eyebrows.
Efficiency is a skill too, brother.
And yes, we know Blender users preach
"model it yourself, be free, touch the holy subdivide"
But sometimes a man just wants to drag a morph slider and feel God.
As for the title - it's supposed to be dramatic.
If Blender malware steals wallets, and DAZ steals sleep and GPU temps, then I say:
Both create artists.
One creates characters.
The other creates panic.
No hard feelings.
You defend Blender like it pays your rent - respect.
Just remember to turn off Auto-Run while doing it
(I'll try not to celebrate anyone getting hacked...
unless it's the guy who told me DAZ "isn't real art."
Then maybe just a tiny giggle )
A few of them even allowed me to breathe before reminding me that unless I sculpt a female from a cube in under 12 minutes while solving world hunger, I'm not a "real artist."
You're right though - DAZ loads models made by skilled people.
Which is why I don't feel the need to reinvent the femur bone every time I want to render a girl with eyebrows.
Efficiency is a skill too, brother.
And yes, we know Blender users preach
"model it yourself, be free, touch the holy subdivide"
But sometimes a man just wants to drag a morph slider and feel God.
As for the title - it's supposed to be dramatic.
If Blender malware steals wallets, and DAZ steals sleep and GPU temps, then I say:
Both create artists.
One creates characters.
The other creates panic.
No hard feelings.
You defend Blender like it pays your rent - respect.
Just remember to turn off Auto-Run while doing it
(I'll try not to celebrate anyone getting hacked...
unless it's the guy who told me DAZ "isn't real art."
Then maybe just a tiny giggle )
People love to act like every model started from a cube,
like Michelangelo sculpting marble with his teeth -
but real workflow is way simpler
---
How pros actually work:
1 Start from a base mesh (DAZ, MetaHuman, MakeHuman, ZBrush starter etc.)
2 Sculpt + refine - instead of rebuilding anatomy every time
3 Retopo over existing figures for game rigs or stylized control
4 Re-use, re-morph, re-texture - because time = money
Even Blender gods dont wake up saying:
"Today Ill birth a human from a cube"
---
Real pipeline:
Base mesh - Sculpt - Retopo - UV - Bake - Texture - Reuse
Professionals optimize, they dont suffer for flex.
DAZ artists do the same, just with a head start -
rigged, anatomical and ready to morph.
Not cheating.
Just not starting from zero.
---
And lets be honest...
plenty of Blender creators use DAZ, Hexagon, ZBrush, retopo workflows too -
they just dont brag about it because the cube-purist council might revoke their membership card
---
Tools are tools.
Skills are skills.
Pros use what works.
Beginners worship the software.
We make art.
like Michelangelo sculpting marble with his teeth -
but real workflow is way simpler
---
How pros actually work:
1 Start from a base mesh (DAZ, MetaHuman, MakeHuman, ZBrush starter etc.)
2 Sculpt + refine - instead of rebuilding anatomy every time
3 Retopo over existing figures for game rigs or stylized control
4 Re-use, re-morph, re-texture - because time = money
Even Blender gods dont wake up saying:
"Today Ill birth a human from a cube"
---
Real pipeline:
Base mesh - Sculpt - Retopo - UV - Bake - Texture - Reuse
Professionals optimize, they dont suffer for flex.
DAZ artists do the same, just with a head start -
rigged, anatomical and ready to morph.
Not cheating.
Just not starting from zero.
---
And lets be honest...
plenty of Blender creators use DAZ, Hexagon, ZBrush, retopo workflows too -
they just dont brag about it because the cube-purist council might revoke their membership card
---
Tools are tools.
Skills are skills.
Pros use what works.
Beginners worship the software.
We make art.
REPLY
! REPORT
Masterstroke
Karma: 4,028
18 Hours agoTrue, and pin up photographers usually don't "create" their models themselves either.
Instead they find them in agencies, in the streets or in cafes.
Instead they find them in agencies, in the streets or in cafes.
The funny part is - DAZ, Maya, ZBrush and Blender aren't enemies.
They're parts of one ecosystem.
The only time conflict appears is when someone tries to defend cube-to-human workflows like a religion
Because let's be honest:
If realism is the goal -
DAZ already has a population.
Blender is still filing birth certificates one sculpt at a time.
And before anyone jumps in with
"But Blender can do everything too!"
Yes it can. But here's what "everything" looks like there:
First sculpt anatomy
Then topology pass
UV unwrap manually
Rig bones one-by-one
Weight paint like yoga for your wrist
Pray no vertices explode during posing
Then build skin shader nodes like spaghetti logic
Then spend grooming hours on hair that still looks too clean
Powerful? Absolutely.
Fast? Only if you never blink
Meanwhile:
DAZ starts alive - rigged, weighted, skinned, hair-ready.
ZBrush sculpts details like butter.
Maya rigs like a surgical machine.
Cascaduer bends bodies like physics gymnasts.
We don't use DAZ because we can't sculpt -
we use DAZ because humans take time, and artists don't get medals for rebuilding the skeleton every week.
So here's the real truth:
Pros use tools like weapons.
Beginners worship them like religion.
We build worlds.
We make characters.
We create.
No cube-purity oath required.
If Blender takes 4 months to make a human and DAZ gives one instantly - that's not cheating…
That's knowing where your time is worth more.
They're parts of one ecosystem.
The only time conflict appears is when someone tries to defend cube-to-human workflows like a religion
Because let's be honest:
If realism is the goal -
DAZ already has a population.
Blender is still filing birth certificates one sculpt at a time.
And before anyone jumps in with
"But Blender can do everything too!"
Yes it can. But here's what "everything" looks like there:
First sculpt anatomy
Then topology pass
UV unwrap manually
Rig bones one-by-one
Weight paint like yoga for your wrist
Pray no vertices explode during posing
Then build skin shader nodes like spaghetti logic
Then spend grooming hours on hair that still looks too clean
Powerful? Absolutely.
Fast? Only if you never blink
Meanwhile:
DAZ starts alive - rigged, weighted, skinned, hair-ready.
ZBrush sculpts details like butter.
Maya rigs like a surgical machine.
Cascaduer bends bodies like physics gymnasts.
We don't use DAZ because we can't sculpt -
we use DAZ because humans take time, and artists don't get medals for rebuilding the skeleton every week.
So here's the real truth:
Pros use tools like weapons.
Beginners worship them like religion.
We build worlds.
We make characters.
We create.
No cube-purity oath required.
If Blender takes 4 months to make a human and DAZ gives one instantly - that's not cheating…
That's knowing where your time is worth more.
REPLY
! REPORT
Masterstroke
Karma: 4,028
17 Hours agoAnd DAZ still gives you the opportunity, to sculpt custom characters from the base figure.
You could even apply your own UV maps to it.
The custom way, is always possible with DAZ.
My highest respect to everyone, who does every step of work in Blender, but I agree, that this doesn't have to be the only way.
You could even apply your own UV maps to it.
The custom way, is always possible with DAZ.
My highest respect to everyone, who does every step of work in Blender, but I agree, that this doesn't have to be the only way.
People romanticize old workflows because they look heroic -
stone, chisels, clay under fingernails, suffering for art.
So they think digital should be the same struggle.
But there's one detail they never consider:
A marble statue doesn't need skin pores.
A clay bust doesn't need 200 blendshapes.
Stone never has to raise its arm without tearing.
A statue doesn't blink, talk, smile, breathe or walk.
It doesn't need topology, UVs, rigging or hair physics.
A digital human is not just sculpture -
it's a machine built to mimic life.
And that means:
topology flow
deformation logic
UV compatibility
shader realism
animation responsiveness
realistic SSS + hair systems
real-time performance in engine
Michelangelo didn't have to worry about 60 FPS in Unreal.
We respect the old masters -
but we don't need to recreate history every morning.
Modern character creation isn't stone age art.
It's engineering + anatomy + shading + simulation working together.
Using a base mesh isn't cheating -
it's starting the race on the track, not carving the stadium first.
Marble is past.
Digital people are future.
And we - DAZ, ZBrush, Unreal, Maya artists -
We don't build statues.
We build people.
stone, chisels, clay under fingernails, suffering for art.
So they think digital should be the same struggle.
But there's one detail they never consider:
A marble statue doesn't need skin pores.
A clay bust doesn't need 200 blendshapes.
Stone never has to raise its arm without tearing.
A statue doesn't blink, talk, smile, breathe or walk.
It doesn't need topology, UVs, rigging or hair physics.
A digital human is not just sculpture -
it's a machine built to mimic life.
And that means:
topology flow
deformation logic
UV compatibility
shader realism
animation responsiveness
realistic SSS + hair systems
real-time performance in engine
Michelangelo didn't have to worry about 60 FPS in Unreal.
We respect the old masters -
but we don't need to recreate history every morning.
Modern character creation isn't stone age art.
It's engineering + anatomy + shading + simulation working together.
Using a base mesh isn't cheating -
it's starting the race on the track, not carving the stadium first.
Marble is past.
Digital people are future.
And we - DAZ, ZBrush, Unreal, Maya artists -
We don't build statues.
We build people.
REPLY
! REPORT
Masterstroke
Karma: 4,028
17 Hours agoI don't know your age, but maybe you remember back in the 70s, when men used to have model train tracks in their hobby rooms.
How much of it was really custom made, how much has been built from model kits and how much of it has been pre made.
Well, there has been a huge variation about that, and many put a lot of custom work into it, but I don't know anyone, who built the model trains from scratch. I knew people, that used to kit bash a lot, but nobody built trains or even architecture models from scratch.
I think, this pretty much is the same, when it comes to modern digital 3d environments.
How much of it was really custom made, how much has been built from model kits and how much of it has been pre made.
Well, there has been a huge variation about that, and many put a lot of custom work into it, but I don't know anyone, who built the model trains from scratch. I knew people, that used to kit bash a lot, but nobody built trains or even architecture models from scratch.
I think, this pretty much is the same, when it comes to modern digital 3d environments.
Bobb
Karma: 1,018
14 Hours agoTrains are still a serious hobby. I have two friends who do it and got roped into wiring up one gent's board. Like so many other hobbies, there's lots more money involved in it these days.
Digital Drapery Co
Karma: 15,021
13 Hours agoYou both hit a perfect comparison.
Model trains in the 70s - or even the 2000s in my case - were never 100% scratch-made either. Some people bought full train sets. Some modified the kits. Some kit-bashed parts and made whole new worlds from pieces that were never meant to fit together.
I used to build tracks too - not just for trains, but for little metal balls to run through.
It wasn't about building every screw and wheel by hand - it was about the joy of making something move, flow, behave like you imagined. The magic wasn't in the raw parts, it was in how you assembled them into something alive.
3D art today is the same.
Some build from primitives.
Some sculpt a base mesh.
Some kitbash with DAZ.
Some retopo in Blender.
Some texture in Substance.
Most do a mix.
What matters isn't whether the train engine was carved from iron ore -
but whether it ran beautifully on the world you built.
Same with characters:
> A good workflow is track engineering
> A character is the train
> The art is when it moves through a world you created
No one demands that model train fans smelt their own steel -
so why should digital artists be expected to carve a human from a cube just to be considered “real
The hobby, the craft, the final world - that's where the heart is.
Model trains in the 70s - or even the 2000s in my case - were never 100% scratch-made either. Some people bought full train sets. Some modified the kits. Some kit-bashed parts and made whole new worlds from pieces that were never meant to fit together.
I used to build tracks too - not just for trains, but for little metal balls to run through.
It wasn't about building every screw and wheel by hand - it was about the joy of making something move, flow, behave like you imagined. The magic wasn't in the raw parts, it was in how you assembled them into something alive.
3D art today is the same.
Some build from primitives.
Some sculpt a base mesh.
Some kitbash with DAZ.
Some retopo in Blender.
Some texture in Substance.
Most do a mix.
What matters isn't whether the train engine was carved from iron ore -
but whether it ran beautifully on the world you built.
Same with characters:
> A good workflow is track engineering
> A character is the train
> The art is when it moves through a world you created
No one demands that model train fans smelt their own steel -
so why should digital artists be expected to carve a human from a cube just to be considered “real
The hobby, the craft, the final world - that's where the heart is.
Thanks for the tip about the .blend files. Even though I don't download .blend files (I prefer to make my own), I immediately checked how my Blender preferences are set 
Thanks even more for your remarks on the tiresome topic of Blender vs. Maya vs. Zbrush vs. DAZ vs. Poser etc, pp, ff ..... These discussions are sooooo boring and really only for half-wits. In my opinion, the only thing that matters is that we - as humans - use our hearts and souls to create something (be it images, models, or props) ... and not have some (supposedly Intelligent) machine do it for us and pass it off as our own work.
Thanks even more for your remarks on the tiresome topic of Blender vs. Maya vs. Zbrush vs. DAZ vs. Poser etc, pp, ff ..... These discussions are sooooo boring and really only for half-wits. In my opinion, the only thing that matters is that we - as humans - use our hearts and souls to create something (be it images, models, or props) ... and not have some (supposedly Intelligent) machine do it for us and pass it off as our own work.
REPLY
! REPORT
Digital Drapery Co
Karma: 15,021
Thu, Dec 04Pushee, exactly - and thank you for jumping in.
Just to clarify my angle here: when I talk about workflow, I'm speaking strictly about human-crafted characters - sculpted, textured, rigged and shaped by an artist's hands, whether the base starts in DAZ, Blender, ZBrush or Maya.
AI is a separate world entirely.
I'm not against experimentation, and I know it's becoming part of modern tools,
but I genuinely hope it never replaces what makes characters ours -
the little imperfections, the hand-placed pores, the personality you sculpt into a cheekbone or a smile.
Game-ready characters still need:
* topology planned by a real eye
* UVs unwrapped with intention
* skin painting that comes from observation, not randomness
* rigging that understands weight and emotion
* detail a machine can copy, but never feel
At the end of the day, I believe people still connect most to what another person created - not what a model generated alone. Our style, our choices, our flaws and fingerprints… that's what keeps characters alive and attractive.
And no matter how far tech goes, I think art with a human soul will always stand out.
Just to clarify my angle here: when I talk about workflow, I'm speaking strictly about human-crafted characters - sculpted, textured, rigged and shaped by an artist's hands, whether the base starts in DAZ, Blender, ZBrush or Maya.
AI is a separate world entirely.
I'm not against experimentation, and I know it's becoming part of modern tools,
but I genuinely hope it never replaces what makes characters ours -
the little imperfections, the hand-placed pores, the personality you sculpt into a cheekbone or a smile.
Game-ready characters still need:
* topology planned by a real eye
* UVs unwrapped with intention
* skin painting that comes from observation, not randomness
* rigging that understands weight and emotion
* detail a machine can copy, but never feel
At the end of the day, I believe people still connect most to what another person created - not what a model generated alone. Our style, our choices, our flaws and fingerprints… that's what keeps characters alive and attractive.
And no matter how far tech goes, I think art with a human soul will always stand out.
Yeah, I don't download blend files either, only obj's, stls or fbx here.
It's kinda sad though. Professional 3d software users cry about Poser / Daz, Poser/ Daz users cry about Ai, DeviantArt users cry about Fan Fic Art, Fur Affinity cry about the price of Fabric... the cycle goes round and around. How about people just use the tools they want to use and make some art.
It's kinda sad though. Professional 3d software users cry about Poser / Daz, Poser/ Daz users cry about Ai, DeviantArt users cry about Fan Fic Art, Fur Affinity cry about the price of Fabric... the cycle goes round and around. How about people just use the tools they want to use and make some art.
REPLY
! REPORT
Digital Drapery Co
Karma: 15,021
13 Hours agoDarkseal - you summed it up perfectly.
Every corner of the art world has its own volcano of opinions:
- Blender vs DAZ
- Poser vs AI
- Fan-art vs Fanfiction
- And apparently fabric pricing is the final boss of the furry timeline
Cycle truly never ends.
For me, this post wasn't about picking tribes -
just a heads-up for artists who download assets blindly.
If even one person avoids malware because they checked Auto-Run or scanned a file first, then mission accomplished. Awareness > arguments.
And yeah, a little pun and playfulness keeps things alive -
we work in 3D, not a funeral home. If we can't laugh at ourselves and our tools, what's the fun in life, right?
At the end of the day, like you said:
Use what you love.
Make what inspires you.
Let the render speak louder than the platform.
That's the energy I want here - not war, just awareness and art.
And thanks again for stopping by - always good to hear from someone who actually creates instead of just debates.
Every corner of the art world has its own volcano of opinions:
- Blender vs DAZ
- Poser vs AI
- Fan-art vs Fanfiction
- And apparently fabric pricing is the final boss of the furry timeline
Cycle truly never ends.
For me, this post wasn't about picking tribes -
just a heads-up for artists who download assets blindly.
If even one person avoids malware because they checked Auto-Run or scanned a file first, then mission accomplished. Awareness > arguments.
And yeah, a little pun and playfulness keeps things alive -
we work in 3D, not a funeral home. If we can't laugh at ourselves and our tools, what's the fun in life, right?
At the end of the day, like you said:
Use what you love.
Make what inspires you.
Let the render speak louder than the platform.
That's the energy I want here - not war, just awareness and art.
And thanks again for stopping by - always good to hear from someone who actually creates instead of just debates.
protecting infected native files for 3ds max is: "3ds Max Scene Security Tools". AND "Prune Scene".
you need to search same capable script protection for blender native files
you need to search same capable script protection for blender native files
REPLY
! REPORT
Digital Drapery Co
Karma: 15,021
13 Hours agoNice catch, Cherry, that's a really good angle to bring in.
Yeah, 3ds Max users have gotten pretty used to treating their scene files like potential biohazards, with stuff like Scene Security Tools and Prune Scene as a "shower after the radiation" step.
Blender definitely needs that same mindset now:
Treat .blend files from outside like "executables with pretty thumbnails," not just harmless assets.
Have some kind of "scene scrub / security check" tool or script become standard practice in pipelines, not just a nerdy extra.
And of course the basics: turning off/limiting Auto-Run for embedded Python, and only enabling it when you really trust the source.
My whole reason for making this post was exactly that - not "Blender bad, DAZ good," but:
Our native file formats are turning into attack surfaces,
so we need habits and tools to defend them.
A good "3ds Max Scene Security Tools, but for Blender" would probably become essential pretty fast after this kind of malware campaign. Until then it's:
caution + settings + brain.
Thanks for dropping the 3ds Max side of things here - it helps show this isn't a "Blender-only" drama, it's a modern 3D problem.
Yeah, 3ds Max users have gotten pretty used to treating their scene files like potential biohazards, with stuff like Scene Security Tools and Prune Scene as a "shower after the radiation" step.
Blender definitely needs that same mindset now:
Treat .blend files from outside like "executables with pretty thumbnails," not just harmless assets.
Have some kind of "scene scrub / security check" tool or script become standard practice in pipelines, not just a nerdy extra.
And of course the basics: turning off/limiting Auto-Run for embedded Python, and only enabling it when you really trust the source.
My whole reason for making this post was exactly that - not "Blender bad, DAZ good," but:
Our native file formats are turning into attack surfaces,
so we need habits and tools to defend them.
A good "3ds Max Scene Security Tools, but for Blender" would probably become essential pretty fast after this kind of malware campaign. Until then it's:
caution + settings + brain.
Thanks for dropping the 3ds Max side of things here - it helps show this isn't a "Blender-only" drama, it's a modern 3D problem.
Not for nothing, but what kinda dumbass turns Blender Auto-Run ON, and why? Most people probably don't even know such an option even exists, and it is off by default. I am sure there are some niche cases it is useful, or it probably wouldn't be an option. Daz studio could be attacked with a similar vector, not like it doesn't have scripting in it.
REPLY
! REPORT
Masterstroke
Karma: 4,028
15 Hours agoI don't know Blender enough to tell, so I hope it is not ON by default.
Digital Drapery Co
Karma: 15,021
13 Hours agoYou're right - Auto-Run is off by default, and most users don't touch it.
But here's where it gets tricky:
Plenty of artists enable Auto-Run once for a Python-based addon or rig, then forget they ever changed it. The setting stays on silently. Months later, they download a "cool free model"... and never think twice. Boom - perfect entry point.
Most people aren't dumb - they just trust files that look like art, not scripts.
DAZ could absolutely be targeted the same way, like you said.
Anything that allows script execution is technically a doorway - Blender's just the platform currently being used because it's popular, open, and easy to distribute files for.
So yeah, no software is bulletproof.
The point of this post isn't:
"Blender bad, DAZ holy"
It's simply:
⚠ Artists should know where the risks are.
Awareness beats surprise every time.
Whether it's Blender Python, DS scripts, Max scene callbacks, or Unreal plugins -
the smarter we are, the safer we all stay.
But here's where it gets tricky:
Plenty of artists enable Auto-Run once for a Python-based addon or rig, then forget they ever changed it. The setting stays on silently. Months later, they download a "cool free model"... and never think twice. Boom - perfect entry point.
Most people aren't dumb - they just trust files that look like art, not scripts.
DAZ could absolutely be targeted the same way, like you said.
Anything that allows script execution is technically a doorway - Blender's just the platform currently being used because it's popular, open, and easy to distribute files for.
So yeah, no software is bulletproof.
The point of this post isn't:
"Blender bad, DAZ holy"
It's simply:
⚠ Artists should know where the risks are.
Awareness beats surprise every time.
Whether it's Blender Python, DS scripts, Max scene callbacks, or Unreal plugins -
the smarter we are, the safer we all stay.
Darkseal
Karma: 3,453
12 Hours agosame here, never hear of auto run on Blender, but again, I don't use it for 3d much, mostly video editing
When I'm asking questions in a Blender forum I NEVER,EVER,NEVER mention that it's for Studio.
REPLY
! REPORT
Digital Drapery Co
Karma: 15,021
13 Hours agoBobb, I get it
Walking into a Blender forum and saying "I’m using this for DAZ…"
is like entering a vampire castle and announcing you brought garlic.
Suddenly everyone gets dramatic shadows and Latin chanting.
Honestly, sometimes you just gotta do stealth-ops:
> "Hello Blender experts, totally pure cube-based user here…"
> "Just casually asking how to retopo… for no reason."
> "Ignore the Genesis 9 mesh in my backpack."
In the end, we all just want things to bend without exploding.
DAZ, Blender - doesn’t matter. Bones snap the same in every language
Walking into a Blender forum and saying "I’m using this for DAZ…"
is like entering a vampire castle and announcing you brought garlic.
Suddenly everyone gets dramatic shadows and Latin chanting.
Honestly, sometimes you just gotta do stealth-ops:
> "Hello Blender experts, totally pure cube-based user here…"
> "Just casually asking how to retopo… for no reason."
> "Ignore the Genesis 9 mesh in my backpack."
In the end, we all just want things to bend without exploding.
DAZ, Blender - doesn’t matter. Bones snap the same in every language
Just to follow up on the discussions about Blender security -
the scary part is not that Auto-Run is on by default (it isn't),
but that many artists turn it on once for an addon and then forget.
Months later, one innocent-looking .blend from the wrong place script executes silently.
Most Blender users don't even realise embedded Python can run on file open,
which is why awareness matters more than blame.
There isn't really a public list of "dangerous plugins," but in general,
anything built with Python can auto-execute if Auto-Run is enabled.
Some addon types especially worth caution with are:
> Auto-riggers & advanced rig utilities
> Import/export tools that run post-processing
> Shader/material automation addons
> Asset library managers
> Random free utility scripts from unknown sources
Not saying these are bad - most are great - just treat them like executable code, not harmless art files.
Best habits right now:
> Make sure Auto Run Python Scripts is OFF unless needed
> Inspect downloaded .blend files in Text Editor before trusting
> Prefer OBJ/FBX/STL if you only need geometry
> Scripts are power - use them carefully
No drama, no division - just knowledge so everyone can work safely.
At the end of the day, we're here to make characters, scenes and worlds - not malware.
the scary part is not that Auto-Run is on by default (it isn't),
but that many artists turn it on once for an addon and then forget.
Months later, one innocent-looking .blend from the wrong place script executes silently.
Most Blender users don't even realise embedded Python can run on file open,
which is why awareness matters more than blame.
There isn't really a public list of "dangerous plugins," but in general,
anything built with Python can auto-execute if Auto-Run is enabled.
Some addon types especially worth caution with are:
> Auto-riggers & advanced rig utilities
> Import/export tools that run post-processing
> Shader/material automation addons
> Asset library managers
> Random free utility scripts from unknown sources
Not saying these are bad - most are great - just treat them like executable code, not harmless art files.
Best habits right now:
> Make sure Auto Run Python Scripts is OFF unless needed
> Inspect downloaded .blend files in Text Editor before trusting
> Prefer OBJ/FBX/STL if you only need geometry
> Scripts are power - use them carefully
No drama, no division - just knowledge so everyone can work safely.
At the end of the day, we're here to make characters, scenes and worlds - not malware.
REPLY
! REPORT
guy91600
Karma: 14,037
12 Hours ago-> Inspect downloaded .blend files in Text Editor before trusting
This advice is excellent, but I think a significant number of Blender users (or users of other scripting software) don't know Python, and simply opening and looking at the source code won't necessarily help them decide not to run it.
So what can be done for those who remain perplexed after reading a script's source code?
This advice is excellent, but I think a significant number of Blender users (or users of other scripting software) don't know Python, and simply opening and looking at the source code won't necessarily help them decide not to run it.
So what can be done for those who remain perplexed after reading a script's source code?
Digital Drapery Co
Karma: 15,021
8 Hours agoJust a small safety note for Blender users who don't read Python - even without coding knowledge, there are a few signs that can warn you if a .blend file may contain something dangerous. If you ever open a file and the script mentions things related to the internet such as downloading, requests or URLs, that's a red flag because a model file shouldn't need to go online. Another thing to be careful about is file-system access, like anything that appears to read, write, delete or modify files outside Blender - a harmless asset shouldn't be touching your drive like that. Also be cautious if you see long, scrambled variable names or encoded strings that don't look human-written, as hidden code is often hidden for a reason. And finally, watch for scripts that look like they trigger themselves automatically when the file loads - that's how malware spreads without you ever pressing run. You don't need to be a programmer to protect yourself - just be aware of unusual behaviour inside files, and if something feels off, it's safer to close the file than to risk it. Sometimes all it takes is a little awareness to avoid a lot of trouble.
Story Mode: The Blender Malware Hijack - How Curiosity Opened the Door
Let me tell you a story - a real one.
Fresh from The Hacker News, November 2025. Not ancient history.
Not rumors.
Fresh enough to still smell like burnt GPU.
For six quiet months, someone - likely Eastern-bloc hackers with too much Red Bull and free time - slipped into the 3D art world like ghosts. They didn't break into servers. They didn't hack accounts.
They hid inside .blend files.
Harmless, friendly, innocent .blend files.
Free characters.
Sexy rigs.
Cool sci-fi assets.
The kind you see on CGTrader and think:
> "Oooh, free! Download."
And that's where the story begins.
---
1. The Bait
Picture it:
You're browsing models like a kid in a candy store.
You see "FREE Cyber Assassin Character Rigged!"
You click download. No antivirus screams.
No suspicious EXE. Just a simple .blend.
It sits on your drive like a stray cat.
You open Blender. You double-click the file.
Door. Open.
---
2. The Hook
Inside that .blend is a tiny Python script.
Not a scary one.
Not flashy.
More like a polite waiter handing you a poisoned drink with a smile.
Maybe the file even loads beautifully.
Maybe you pose the character.
Maybe you even say "Wow, this rig is good."
You have no idea that in the background it's already moving.
---
3. The Bypass
Here's the twist in the story:
Blender does warn you.
Auto-Run is OFF by default.
But…
you once turned it ON for an auto-rigger.
Or for a motion-capture plugin.
Or you clicked Reload Trusted once because you were tired.
Or you trusted the site a little too much.
It takes one tired click -
and the velvet rope drops.
That small script?
Now it can run like a rat in a bakery.
And unlike DAZ scripts, Blender Python has no babysitter.
No sandbox.
No leash.
It can touch your files.
Your registry.
Your browser.
Your wallet.
Your life.
---
4. The Payload
And once it runs?
It doesn't scream.
It whispers.
It calls PowerShell quietly.
It pulls down StealC V2 - an info-stealer evolved like a cockroach.
Within minutes it can collect:
> Chrome passwords
> Wallet seed phrases
> Email logins
> VPN creds
> Discord messages
> Plugins from over 23 browsers
> Files you didn't even know were sensitive
Then it sends everything to a remote command server,
while Blender keeps happily rendering like nothing happened.
Your art PC becomes their ATM.
---
Why It Matters
Blender isn't insecure.
It's just human-dependent.
And humans are curious.
Impatient.
Optimistic.
Security didn't fail - we clicked.
---
< Armor-Up (simple rules that save worlds)
Keep Auto-Run OFF unless you absolutely need it
Don't open random .blend files like candy
Scan assets with VirusTotal first
Stick to trusted creators & marketplaces
Update Blender - patches matter
And if you really must open unknown files, do it in a VM like a bomb technician
---
Final Thought
If you want security expertise -
ask people smarter than me.
I just put the flashlight on a hole in the floor.
If you want to keep making art -
do it. DAZ, Blender, Maya, ZBrush, UE5 - pick your sword.
If you want safety -
treat every file like it might have teeth.
And with that - Im done typing.
Back to characters and texture maps instead of malware anatomy.
Stay safe, create loud, and dont let hackers turn your render rig into their ATM.
We make art - not entry points.
Let me tell you a story - a real one.
Fresh from The Hacker News, November 2025. Not ancient history.
Not rumors.
Fresh enough to still smell like burnt GPU.
For six quiet months, someone - likely Eastern-bloc hackers with too much Red Bull and free time - slipped into the 3D art world like ghosts. They didn't break into servers. They didn't hack accounts.
They hid inside .blend files.
Harmless, friendly, innocent .blend files.
Free characters.
Sexy rigs.
Cool sci-fi assets.
The kind you see on CGTrader and think:
> "Oooh, free! Download."
And that's where the story begins.
---
1. The Bait
Picture it:
You're browsing models like a kid in a candy store.
You see "FREE Cyber Assassin Character Rigged!"
You click download. No antivirus screams.
No suspicious EXE. Just a simple .blend.
It sits on your drive like a stray cat.
You open Blender. You double-click the file.
Door. Open.
---
2. The Hook
Inside that .blend is a tiny Python script.
Not a scary one.
Not flashy.
More like a polite waiter handing you a poisoned drink with a smile.
Maybe the file even loads beautifully.
Maybe you pose the character.
Maybe you even say "Wow, this rig is good."
You have no idea that in the background it's already moving.
---
3. The Bypass
Here's the twist in the story:
Blender does warn you.
Auto-Run is OFF by default.
But…
you once turned it ON for an auto-rigger.
Or for a motion-capture plugin.
Or you clicked Reload Trusted once because you were tired.
Or you trusted the site a little too much.
It takes one tired click -
and the velvet rope drops.
That small script?
Now it can run like a rat in a bakery.
And unlike DAZ scripts, Blender Python has no babysitter.
No sandbox.
No leash.
It can touch your files.
Your registry.
Your browser.
Your wallet.
Your life.
---
4. The Payload
And once it runs?
It doesn't scream.
It whispers.
It calls PowerShell quietly.
It pulls down StealC V2 - an info-stealer evolved like a cockroach.
Within minutes it can collect:
> Chrome passwords
> Wallet seed phrases
> Email logins
> VPN creds
> Discord messages
> Plugins from over 23 browsers
> Files you didn't even know were sensitive
Then it sends everything to a remote command server,
while Blender keeps happily rendering like nothing happened.
Your art PC becomes their ATM.
---
Why It Matters
Blender isn't insecure.
It's just human-dependent.
And humans are curious.
Impatient.
Optimistic.
Security didn't fail - we clicked.
---
< Armor-Up (simple rules that save worlds)
Keep Auto-Run OFF unless you absolutely need it
Don't open random .blend files like candy
Scan assets with VirusTotal first
Stick to trusted creators & marketplaces
Update Blender - patches matter
And if you really must open unknown files, do it in a VM like a bomb technician
---
Final Thought
If you want security expertise -
ask people smarter than me.
I just put the flashlight on a hole in the floor.
If you want to keep making art -
do it. DAZ, Blender, Maya, ZBrush, UE5 - pick your sword.
If you want safety -
treat every file like it might have teeth.
And with that - Im done typing.
Back to characters and texture maps instead of malware anatomy.
Stay safe, create loud, and dont let hackers turn your render rig into their ATM.
We make art - not entry points.
REPLY
! REPORT
