🟡 🛡️ Security Published: · 4 min read ·

Microsoft Project Ire Autonomously Discovered a New LOTUSLITE Variant — Only 1 of 72 Vendors Detected It

Editorial illustration: Microsoft's autonomous AI system Project Ire for reverse analysis of malware

Microsoft's autonomous LLM agent Project Ire identified a previously unseen variant of the LOTUSLITE malware — at the time of discovery, only one of 72 security vendors had detected it. Ire worked exclusively through static reverse analysis, without any human input or contextual metadata.

🤖

This article was generated using artificial intelligence from primary sources.

Microsoft’s research team on June 12, 2026, published new details about a project that is redefining the paradigm for detecting advanced threats: Project Ire, an autonomous malware classification agent that operates exclusively through static reverse analysis — without a single human analyst and without any metadata about the sample.

An Autonomous Agent That Reverse-Engineers Binary Code

Project Ire uses large language models in combination with industry-standard disassemblers and binary analysis tools to autonomously deconstruct unknown malware samples. The agent receives no input information about the file’s origin, attack target, or prior classification. The only input is the binary file itself; the only output is a detailed behavioral report covering installation procedures, C2 command structures, and code obfuscation techniques.

This approach directly addresses one of the greatest challenges in modern cybersecurity: malware authors continuously rotate indicators of compromise (IOCs) to evade signature-based detection. While traditional antivirus systems look for known hash values and IP addresses, Ire analyzes code behavior — and that allows it to recognize a variant even when no public IOC matches.

What Is LOTUSLITE and How Did Ire Recognize It?

LOTUSLITE is a Windows DLL backdoor documented and attributed by Acronis to the Mustang Panda group with moderate confidence. It is characterized by a split-loader-and-DLL architecture, HTTPS communication to a C2 server via a custom binary protocol, an interactive shell implemented through pipes, and persistence achieved through a Windows Registry entry (HKCU Run key). Traffic to the C2 server is disguised as legitimate communication with Google and Microsoft services.

On May 28, 2026, Project Ire analyzed a sample with SHA-256 hash 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653 — a PE DLL file of 253 KB in size. At that moment, only 1 of 72 security vendors flagged the sample as malicious. By June 4, that number had risen to 7 of 70 vendors — still a dramatically low percentage. Among those that did not detect the threat are CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto Networks, and ESET.

Ire concluded it was dealing with a LOTUSLITE variant based on behavioral signatures — without any overlap with known IOCs. The key differences from the previously documented sample were:

  • Installation directory: C:\ProgramData\SmartPrint\ (versus Technology360NB)
  • Registry key for persistence: DadaBank (versus Lite360)
  • C2 magic DWORD: 0xB2EBCFDF (versus 0x8899AABB)

These differences — a deliberate rotation by the attacker — would have completely blinded signature-based detection systems. For Ire, which analyzes the semantics of code rather than literal values, this is not an obstacle.

Attribution: Caution with Embedded Strings

An unobfuscated string BelievemeIamMustang-Panda was found inside the binary. Acronis attributed the LOTUSLITE family to the Mustang Panda group based on infrastructure and tactics, techniques, and procedures. However, Microsoft’s research team explicitly refrained from independent attribution.

The reason is clear: embedded attribution strings can be deliberate disinformation — so-called false flags intended precisely to mislead automated systems using LLM analysis. Ire is designed to recognize this risk: the agent builds chains of evidence based exclusively on binary behavior, not on metadata or strings that may have been planted by the attacker.

Implications for the Security Industry

Project Ire demonstrates the practical application of LLM-based static reverse engineering in a production security context. Several conclusions are particularly important.

First, signature detection has a structural flaw with variants within the same malware family: an actor merely changes a few constants and passes through nearly all commercial EDR systems. A sample detected by only 1.4% of vendors at first scan illustrates this clearly.

Second, behavioral analysis scales autonomously — Ire can process thousands of samples without engaging analysts. Third, the project shows that LLM agents can produce court-admissible chains of evidence, not just unstructured notes.

Project Ire is not a replacement for human researchers but a force multiplier. While analysts handle priority incidents, Ire processes the long tail of suspicious samples that would otherwise wait days or weeks for analysis — and in the meantime remain an active threat on victims’ systems.

Frequently Asked Questions

What is Microsoft Project Ire?
Project Ire is Microsoft's autonomous agent based on large language models that performs static reverse analysis of malware without any human supervision or sample metadata.
How many security vendors detected the LOTUSLITE variant at first discovery?
Only one of 72 security vendors flagged the sample as malicious at the time of first discovery on May 28, 2026. By June 4 that number had risen to just 7 of 70 vendors.
Which hacker group is LOTUSLITE attributed to?
Acronis attributed the LOTUSLITE family to the Mustang Panda group with a moderate confidence level, but Microsoft Research refrained from independent attribution because embedded attribution strings can be deliberate disinformation.

📬 AI news in your inbox

A daily digest built your way — pick topics, sources and cadence. One-click unsubscribe.