Why Defender sometimes calls the loader "Themida"

If Windows Defender flags nimbus-loader.exe with a verdict like HEUR:Trojan.Win32.Themida.gen, Wacatac.B!ml, or Packed.Win32.Themida, you're not looking at malware — you're looking at a packer-detection heuristic firing on our commercial executable protector. This is the same false-positive class that hits every legitimate game, anti-cheat module, and DRM-wrapped application that uses the same protector.

What's actually inside the binary. Nimbus is packed with Themida, a commercial executable protector from Oreans. Themida obfuscates the executable's code section, encrypts strings, and adds runtime anti-tamper checks. We use it because the loader contains anti-cheat-evasion logic that competitors actively try to reverse-engineer — without packing, every public dump tool would have our payload's structure within hours of a release. The trade-off is that AV heuristics that scan for "is this binary obfuscated in a suspicious way" trigger on Themida even when the underlying code is benign.

Why the AV flag isn't a real signal. Major commercial software ships with Themida (and similar packers from VMProtect / Enigma): Adobe DRM modules, Riot's Vanguard installer, multiple paid game-launcher utilities, and so on. The flag is heuristic — it says "this binary is protected in a way malware also uses" — not "this binary does something malicious." If you scan the loader with VirusTotal, you'll typically see 5-15 generic-packer hits and zero behavioural detections; that distribution is the fingerprint of a legitimate packed binary.

The fix. Add C:\Nimbus\ (or wherever you keep the loader) to your AV exclusions — see the antivirus exclusion guide for the per-AV walk-through. This stops the heuristic from re-flagging on every auto-update.

Why we don't switch packers to avoid the flag. We've evaluated VMProtect and Enigma; both have the same heuristic-detection profile against current Defender signatures. The flag isn't packer-specific; it's a class detection. Switching packers would shift the verdict string from Themida.gen to VMP.gen without changing the trigger rate.

Why we don't ship unpacked. Without packing, our anti-cheat-evasion logic is publicly readable on first download. We'd be patched-around within 48 hours of any release, and you'd be the one banned for it. The packer is part of how Nimbus stays viable.

When to be worried. If your AV flags Nimbus with a *behavioural* verdict (Trojan:Win32/Wacatac.B!ml, Behavior:Win32.Generic) after running the binary — meaning the AV observed the loader doing something — open a support ticket and attach a screenshot. Heuristic packer-flags fire on the file at rest; behavioural flags fire on runtime activity, and those are worth our investigating in case a real piece of malware is impersonating the loader.