Themida

Themida is a legitimate tool that is meant to be used for software protection – files packed with the Themida packer are difficult to reverse engineer, and their code is obfuscated heavily. This is often used to protect the work of developers, but legitimate software publishers are not the only ones taking advantage of the features that the Themida packer offers – this tool also is being abused by cybercriminals who can rely on it to make their corrupted files difficult to analyze. In addition to obfuscating the contents of harmful applications, Themida also may increase their odds of evading anti-virus tools and measures since the protection engine might not be able to identify the harmful code hidden in the executable packed via Themida properly.

Almost all threats used by cybercriminals are obfuscated with the help of some packer or crypter to protect their projects and make the job of malware researchers more difficult. Although these packers are not perfect, they may allow some pieces of malware to operate undetected for a couple of days or weeks – however, you can rest assured that modern anti-malware solutions are able to identify the common traits of corrupted files, even if their contents have been protected by the Themida packer or a similar tool.

Unfortunately, even the high price of the Themida packer is not enough to discourage cybercriminals from abusing this helpful tool's features to secure the contents of their threatening programs – cracked versions of Themida are being promoted on hacking forums, and even beginner cybercriminals may be able to use this tool to obfuscate their payloads. High-profile cybercriminals also use packers like Themida, and CypherIT Autoit – many samples of the AZORult infostealer have been found to use the obfuscation techniques that both of these packers are known to utilize.