Microsoft Ire catches a LOTUSLITE variant that signature tools missed
Original: Ire identifies another LOTUSLITE specimen View original →
A malware sample that barely registered in signature-based tools was enough for Microsoft’s LLM-driven reverse-engineering agent to build a behavioral case. In a June 12, 2026 Microsoft Research post, Project Ire analyzed a LOTUSLITE-style Windows DLL backdoor without analyst hints and returned a malicious verdict from a single decompiler-based run.
The sample is SHA-256 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653, a 253 KB PE DLL listed by VirusTotal as SmartPrintScreen.Print. Microsoft says that when it picked up the file on May 28, only 1 of 72 VirusTotal vendors flagged it. By June 4, detection had risen to 7 of 70, but CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, and ESET still did not flag it as malware.
The important part is what Ire did not rely on. It did not match a known hash, reuse an IOC list, or simply echo the actor name embedded in the binary. Instead, it invoked decompilers and binary-analysis tools, then produced a function-by-function behavioral report: install routine, C2 packet layout, command IDs, persistence mechanism, obfuscation, directory enumeration, file primitives, and upload behavior.
Microsoft compared Ire’s output with Acronis’s earlier LOTUSLITE writeup. The surface details differ: the Microsoft sample uses different filenames, a different install path, a different Run-key value, and a different C2 magic value. The deeper behavior lines up with the same family: loader/DLL split, HTTPS command-and-control using a custom binary protocol, an interactive shell over pipes, HKCU persistence, and traffic disguised as Google and Microsoft services.
The post is also a useful calibration story for AI security tooling. The binary contains the cleartext string BelievemeIamMustang-Panda, but Microsoft avoids an attribution call. Acronis had linked LOTUSLITE to Mustang Panda at moderate confidence through infrastructure and TTP overlap; Microsoft’s point is narrower. A string can be evidence, noise, or adversarial bait for an LLM-driven analyst, so Ire’s report focuses on observed behavior rather than actor naming.
For defenders, the stake is practical. Novel malware classification often lacks an automatic validator, and variants can keep the same tactics while changing every obvious indicator. Project Ire does not remove the need for human review, but it shows how agentic reverse engineering can turn a suspicious binary into an auditable evidence chain faster than manual triage alone.
Related Articles
HN readers focused less on the joke and more on the operational lesson: autonomous agents can convert vague goals into real infrastructure spend.
Microsoft described a widespread device code phishing campaign that uses AI-driven automation to compromise organizational accounts at scale. The attack abuses legitimate OAuth device code flows, dynamic code generation, and backend polling infrastructure.
What caught HN was not the Dune joke. Versions 2.6.2 and 2.6.3 of the lightning package were reported to execute credential-stealing code on import, turning a routine training dependency into an exfiltration path.