Blab Tech
Microsofts Project Ire Confirms LOTUSLITE Variant as Malicious, Even Without Signature Matches
Microsoft’s autonomous malware‑classification agent, Project Ire, has flagged a new LOTUSLITE backdoor variant as malicious, despite the sample’s hash not appearing in any public indicator‑of‑compromise database and most enterprise engines missing it in early June.
The test file, a Windows DLL called SmartPrintScreen.Print (SHA‑256 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653), was fed to Ire without any background context. Using a decompiler‑driven, function‑by‑function approach, Ire produced a detailed behavioral report that mapped the install routine, command‑and‑control packet layout, command identifiers, persistence method, and obfuscation tactics. The agent concluded the sample was malicious.
Acronis Threat Research Unit first documented the LOTUSLITE family in January 2026. Their analysis described a loader that sideloads a malicious DLL, uses HTTPS C2 traffic with a custom binary protocol, and persists through a registry Run key. The loader and DLL are typically bundled in a politically themed ZIP archive that mimics a Tencent KuGou launcher.
The Ire‑analyzed sample shares only superficial differences with the Acronis reference. In this case, the loader is SmartPrintScreen.exe, the DLL is AMPV.dll, the install folder is C:\ProgramData\SmartPrint\, and the Run‑key value is DadaBank. The C2 magic value is 0xB2EBCFDF instead of 0x8899AABB, and the marker argument is –DaDaBar rather than –DATA. Despite these variations, the core behaviors—loader/DLL split, HTTPS C2 with a custom protocol, interactive shell over pipes, directory enumeration, file primitives, chunked upload, HKCU persistence, and traffic camouflaged as Google and Microsoft services—align closely with the LOTUSLITE profile.
VirusTotal lists the file as a PE DLL (pedll) named SmartPrintScreen.Print. An initial report on May 28 flagged it only once (Microsoft Trojan:Win32/Malgent!MSR). By June 4, seven of seventy vendors—including Microsoft, Kaspersky, and TrendMicro—had added the sample to their detection lists, but major EDR platforms such as CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, and ESET still did not flag it.
Ire’s analysis spotlighted a function named nfapi::nf_unRegisterDriver and a NetFilter naming pattern. The agent noted that the function writes to the Run key but does not install a driver and does not claim active packet interception. This demonstrates Ire’s ability to differentiate between suggestive strings and actual behaviors, potentially reducing false positives.
The DLL exports a long list of banking‑ and QR‑related identifiers, such as Query_Bank and BankSepah_Iran, many of which resolve to a message box or ExitProcess. This export surface matches a repurposed banking/QR SDK shell that lets the host executable call the backdoor entry point via GetProcAddress. Ire’s report does not name the entry point but identifies the behavioral shape as matching LOTUSLITE.
The sample contains the literal string “BelievemeIamMustang-Panda.” Acronis attributes LOTUSLITE to the China‑linked threat actor Mustang Panda with moderate confidence, based on infrastructure overlap and tactics. The presence of the actor’s name in the binary does not constitute definitive attribution; it could be a developer artifact, a planted trophy, or a deliberate biasing input for LLM‑based analysis.
Project Ire operates without any context—no origin metadata, telemetry, or analyst prompt. It invokes decompilers and binary‑analysis tools, builds an auditable chain of evidence, and arrives at a malicious‑or‑benign verdict. The agent’s report for this sample is available on GitHub, and it does not reference LOTUSLITE by name; the mapping to the family was performed after comparing Ire’s output to Acronis’s published analysis.
This case illustrates how autonomous, behavior‑centric analysis can surface malware that evades signature‑based detection. While the sample had not yet been widely flagged by EDRs, the combination of Ire’s report and VirusTotal vendor updates indicates that the variant is recognized by the security community as malicious.
At present, the sample remains a single instance of a LOTUSLITE variant. No further product releases, regulatory actions, or court proceedings are linked to this finding. Microsoft’s Project Ire continues to be evaluated as a prototype for fully autonomous malware classification, and its public reports will likely inform future detection strategies.
The test file, a Windows DLL called SmartPrintScreen.Print (SHA‑256 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653), was fed to Ire without any background context. Using a decompiler‑driven, function‑by‑function approach, Ire produced a detailed behavioral report that mapped the install routine, command‑and‑control packet layout, command identifiers, persistence method, and obfuscation tactics. The agent concluded the sample was malicious.
Acronis Threat Research Unit first documented the LOTUSLITE family in January 2026. Their analysis described a loader that sideloads a malicious DLL, uses HTTPS C2 traffic with a custom binary protocol, and persists through a registry Run key. The loader and DLL are typically bundled in a politically themed ZIP archive that mimics a Tencent KuGou launcher.
The Ire‑analyzed sample shares only superficial differences with the Acronis reference. In this case, the loader is SmartPrintScreen.exe, the DLL is AMPV.dll, the install folder is C:\ProgramData\SmartPrint\, and the Run‑key value is DadaBank. The C2 magic value is 0xB2EBCFDF instead of 0x8899AABB, and the marker argument is –DaDaBar rather than –DATA. Despite these variations, the core behaviors—loader/DLL split, HTTPS C2 with a custom protocol, interactive shell over pipes, directory enumeration, file primitives, chunked upload, HKCU persistence, and traffic camouflaged as Google and Microsoft services—align closely with the LOTUSLITE profile.
VirusTotal lists the file as a PE DLL (pedll) named SmartPrintScreen.Print. An initial report on May 28 flagged it only once (Microsoft Trojan:Win32/Malgent!MSR). By June 4, seven of seventy vendors—including Microsoft, Kaspersky, and TrendMicro—had added the sample to their detection lists, but major EDR platforms such as CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, and ESET still did not flag it.
Ire’s analysis spotlighted a function named nfapi::nf_unRegisterDriver and a NetFilter naming pattern. The agent noted that the function writes to the Run key but does not install a driver and does not claim active packet interception. This demonstrates Ire’s ability to differentiate between suggestive strings and actual behaviors, potentially reducing false positives.
The DLL exports a long list of banking‑ and QR‑related identifiers, such as Query_Bank and BankSepah_Iran, many of which resolve to a message box or ExitProcess. This export surface matches a repurposed banking/QR SDK shell that lets the host executable call the backdoor entry point via GetProcAddress. Ire’s report does not name the entry point but identifies the behavioral shape as matching LOTUSLITE.
The sample contains the literal string “BelievemeIamMustang-Panda.” Acronis attributes LOTUSLITE to the China‑linked threat actor Mustang Panda with moderate confidence, based on infrastructure overlap and tactics. The presence of the actor’s name in the binary does not constitute definitive attribution; it could be a developer artifact, a planted trophy, or a deliberate biasing input for LLM‑based analysis.
Project Ire operates without any context—no origin metadata, telemetry, or analyst prompt. It invokes decompilers and binary‑analysis tools, builds an auditable chain of evidence, and arrives at a malicious‑or‑benign verdict. The agent’s report for this sample is available on GitHub, and it does not reference LOTUSLITE by name; the mapping to the family was performed after comparing Ire’s output to Acronis’s published analysis.
This case illustrates how autonomous, behavior‑centric analysis can surface malware that evades signature‑based detection. While the sample had not yet been widely flagged by EDRs, the combination of Ire’s report and VirusTotal vendor updates indicates that the variant is recognized by the security community as malicious.
At present, the sample remains a single instance of a LOTUSLITE variant. No further product releases, regulatory actions, or court proceedings are linked to this finding. Microsoft’s Project Ire continues to be evaluated as a prototype for fully autonomous malware classification, and its public reports will likely inform future detection strategies.
