Themida
Themida is a commercial software protector/packer used to obfuscate and protect executables, and in the provided reporting it is repeatedly referenced as a defense-evasion layer applied to malware. The content describes Themida-packed or Themida-protected payloads in multiple campaigns. In one Acronis-reported campaign distributing fake game cheats via GitHub and related lures, the downloaded payload background.exe was identified as a Themida-packed Vidar Stealer 2.0 sample. In Lazarus Group activity, including Operation Dream Job, malicious .db files were packed with Themida to evade detection. ESET also reported Lazarus using Themida-protected binaries in a South Korea-focused supply-chain-style campaign abusing the WIZVERA VeraPort software installation ecosystem; the signed initial downloader and another component were described as Themida-protected, with the version estimated at roughly 2.0 to 2.5. Across the cited reporting, Themida is associated with malware delivery and concealment rather than being the final payload itself, and is linked in the content to Lazarus operations and to Vidar Stealer 2.0 delivery. High-confidence behaviors directly mentioned are packing/protecting binaries to hinder analysis and evade detection. No standalone infection vector or IoCs specific to Themida itself are provided beyond its use as a protection layer on malicious files.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The signed initial downloaders are Themida-protected binaries... This component is a Themida-protected file. We estimate the version of Themida to be 2.0-2.5.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
7 techniques
Stealth
Modern software anti-analysis methods are based on more sophisticated packers/protectors, e.g. Themida, Armadillo or ASProtect which pack the program code and tamper with entry point addresses so it is hard to find the program's original entry point (OEP). That is also true for the program's import address table (IAT).
Appendix D lists "T1027.001 Obfuscated Files or Information: Binary Padding"; the report discusses use of VMProtect, Themida, and script/binary obfuscation.
Additionally, Sophos.exe (see below) which was packed with Themida, was executed.
After virtualization, the code is transformed into a complex, obfuscated form that is hard to analyze. The devirtualizer restores the original logic, making the code readable again.
Cobalt Strike (license ID "666", packed with Themida) launched via regsvr32.exe or rundll32.exe.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Commercial software protector/packer used here to obfuscate Lazarus components (initial downloader and loader), hindering static analysis and aiding defense evasion.
Commercial software protector/packer used to obfuscate payloads and hinder analysis/detection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.