Security researchers have reported that the source code of VMProtect has been leaked twice in the past year, with the second leak occurring just last week on a Chinese IT forum.
VMProtect is a popular tool used to protect software from analysis and hacking, which is used legitimately in games and corporate applications. However, it is also widely used by malware developers to protect payloads, and many information security companies automatically flag VMProtect-wrapped software as a potential threat (1, 2, 3). VMProtect has been used by well-known hack groups such as APT31, ZINC (Diamond Sleet, Lazarus), Hacking Team, Darkside, and Rorschach ransomware, MaaS PrivateLoader, and more.
The first leak of VMProtect source code was discovered by researchers in the summer of 2022, and the second leak was found last week on the Chinese IT forum kanxue.com (the topic has since been deleted).
Information security researchers have noted that a number of key files are missing from the published files, including intel.cc, processor.cc, and arm.cc. An attempt to upload the source to GitHub was quickly shut down, but the leak can still be easily found on anonymous file hosting sites. This kind of information is of great interest to experts, as it can be used to improve detection and analysis tools.
