Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

VMProtect

VMProtect is a commercial software protection and code-obfuscation framework rather than malware itself. In the provided reporting, it is repeatedly referenced as a packer/protector used by multiple malicious operations to hinder static and dynamic analysis and evade antivirus detection. Observed uses include packing an AVKiller payload seen in ransomware-related intrusions involving RansomHub and MedusaLocker; protecting samples associated with the BADIIS IIS malware/SEO poisoning campaign attributed by Elastic to the Chinese-speaking cybercrime group REF4033; and obfuscating Sagerunex backdoor code used by the Lotus Blossom espionage actor (also tracked as Spring Dragon, Billbug, and Thrip). The content also notes broader malware samples employing VMProtect, including references alongside RomCom RAT and other protected tooling. High-confidence details from the content indicate its role is defensive evasion/obfuscation of malicious code, not payload delivery or persistence by itself.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
REF4033

Most of these samples employ VMProtect, a commercial code-obfuscation framework, to hinder static and dynamic analysis.

via elastic security labselastic.co
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence5

Protection: VMProtect ... encoded strings corresponding to the names of functions and modules were processed. These strings are decoded in memory using the renamed decode_string function.

T1027.001Binary PaddingEvidence1

Appendix D lists "T1027.001 Obfuscated Files or Information: Binary Padding"; the report discusses use of VMProtect, Themida, and script/binary obfuscation.

T1027.002Software PackingEvidence4

Next, I’ll pack it with Themida and VMProtect because shellcode from msvenom freaks out AVs.

T1622Debugger EvasionEvidence1

MITRE ATT&CK Mapping ID Technique Component Notes T1622 Debugger Evasion All VMProtect anti-debug + Safengine anti-dump

Discovery

1 technique
T1622Debugger EvasionEvidence1

MITRE ATT&CK Mapping ID Technique Component Notes T1622 Debugger Evasion All VMProtect anti-debug + Safengine anti-dump

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
elastic security labsNews
Feb 11, 2026
BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign - Elastic Security Labs

Commercial software protector/obfuscation tool used by the operators to pack/obfuscate components in the BADIIS toolchain to impede analysis.

Read more
talos intelligence blogNews
Feb 27, 2025
Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

A commercial software protector/obfuscator used to hinder reverse engineering and evade AV detection; used here to protect/obfuscate Sagerunex code.

Read more
sophos threat researchNews
Jan 20, 2025
HeartCrypt’s wholesale impersonation effort | SOPHOS

A commercial packer/protector referenced as being used to pack the AVKiller payload delivered in HeartCrypt-linked incidents.

Read more
picus security blogNews
Jun 14, 2023
Picus Cyber Threat Intelligence Report May 2023: Top 10 MITRE ATT&CK Techniques

Commercial packer/protector used to obfuscate binaries and hinder analysis/detection.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.