VMProtect
VMProtect is a commercial software protection and code-obfuscation framework rather than malware itself. In the provided reporting, it is repeatedly referenced as a packer/protector used by multiple threat actors to hinder static and dynamic analysis, evade antivirus detection, obfuscate control flow, hide imported functions, and add anti-debugging checks. Elastic reported that many samples associated with the Chinese-speaking REF4033 SEO-poisoning/BADIIS IIS malware campaign were protected with VMProtect. Cisco Talos reported that Lotus Blossom (also known as Spring Dragon, Billbug, and Thrip) used VMProtect to obfuscate Sagerunex backdoor code. Kaspersky also noted spyware packed or protected with VMProtect, including a backdoor in a 2024 spear-phishing chain and the commercial spyware Dante, where deobfuscation revealed identifying code. The content does not describe VMProtect as having independent malicious capabilities, infection vectors, or its own indicators of compromise; instead, it is a legitimate protection tool abused to conceal malware across espionage and cybercrime operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Most of these samples employ VMProtect, a commercial code-obfuscation framework, to hinder static and dynamic analysis.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
4 techniquesAround 2018, Denuvo applied its VMProtect obfuscation layer, making crackers once again work for weeks or even months to clean one title.
Appendix D lists "T1027.001 Obfuscated Files or Information: Binary Padding"; the report discusses use of VMProtect, Themida, and script/binary obfuscation.
To evade detection and triggering security warnings, BHUNT is packed and heavily encrypted using Themida and VMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers.
Discovery
1 techniqueRecent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Commercial software protector/obfuscation tool used by the operators to pack/obfuscate components in the BADIIS toolchain to impede analysis.
A commercial software protector/obfuscator used to hinder reverse engineering and evade AV detection; used here to protect/obfuscate Sagerunex code.
Commercial protector/obfuscator used to hinder analysis of a backdoor in the described intrusion.
Commercial packer/protector used to obfuscate binaries and hinder analysis/detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.