CrowdStrike, SentinelOne, Sophos, Trellix, Palo Alto, and ESET still don't flag a LOTUSLITE variant that Microsoft's autonomous agent caught with a single decompiler run and zero human priors. That's the kind of gap static, signature-based detection leaves wide open.
The Numbers That Matter
The sample hash is 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653. When Microsoft's Project Ire pulled it from VirusTotal on May 28, only 1 of 72 vendors flagged it. A week later that number climbed to 7 of 70 — Microsoft's own engine now tags it as Trojan:Win32/Malgent!MSR, Kaspersky calls it HEUR:Trojan-Dropper.Win32.Dorifel.gen. But the six biggest commercial EDRs? All still quiet. Acronis's Threat Research Unit had already documented LOTUSLITE, but the sample's SHA-256 wasn't in their IOC list.
How Ire Works Without Context
Ire is an LLM-driven agent that invokes decompilers and binary-analysis tools with no origin metadata, no telemetry, and no analyst prompt. It builds an auditable chain of evidence and returns a malicious-or-benign verdict. For this sample, Ire produced a function-by-function behavioral report: install routine, C2 packet layout with magic DWORD value 0xB2EBCFDF, command IDs, persistence mechanism via HKCU Run key, and obfuscation techniques. The agent correctly flagged a function named nfapi::nf_unRegisterDriver as suspicious but did not claim active packet interception — it recognized the naming was misleading and weighted that behavior appropriately during final adjudication. That's where a less thorough LLM analysis would go wrong and send defenders chasing a phantom.
Comparing Ire's Report to Acronis's
Acronis's LOTUSLITE sample used a different loader path (C:\ProgramData\Technology360NB\) and magic 0x8899AABB. Ire's sample uses C:\ProgramData\SmartPrint\ and 0xB2EBCFDF. The filenames, Run key values, and lure materials differ, but the underlying behaviors align perfectly: loader/DLL split, HTTPS C2 with custom binary protocol, interactive shell over pipes, directory enumeration, file primitives, chunked upload, and traffic camouflaged as Google and Microsoft services. Ire never named LOTUSLITE in its report; the family mapping came from comparing Ire's behavioral output against Acronis's writeup. The DLL itself contains a cleartext string "BelievemeIamMustang-Panda" — not direct proof of authorship, but a curious artifact that Ire did not let bias its verdict.
This is what behavioral, agentic reverse engineering achieves when signature matching and manual inspections fall short. Variants that share TTPs but not IOCs get caught instead of slipping past. Ire's next target might be your next missed variant.
Source: Ire identifies another LOTUSLITE specimen
Domain: microsoft.com
Comments load interactively on the live page.