Project Ire detects LOTUSLITE variant missed by major EDRs

Project Ire, Microsoft’s autonomous malware-classification agent, analyzed a blind sample of a LOTUSLITE-family DLL and produced a function-by-function behavioral report and a “malicious” verdict from a single decompiler-based run with no human priors. The sample’s SHA-256 is 47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653. When first picked up on May 28, VirusTotal showed 1 of 72 vendors flagging it; by June 4 the count had risen to 7 of 70, while several major EDRs still did not flag the file.

What Ire did and what it found

Ire invoked decompilers and binary-analysis tools and produced an auditable chain of evidence that describes behaviors at the function and system level: install routine, C2 packet layout, command IDs, persistence mechanism, obfuscation, directory enumeration, file primitives, chunked upload, and an interactive shell over pipes. The agent did not rely on IOC matching. Ire did not name LOTUSLITE in its output; the family mapping comes from comparing Ire’s behavioral report against Acronis’s published analysis.

The DLL copies two files into C:\ProgramData\SmartPrint\: a loader EXE named SmartPrintScreen.exe (the host process obtained via GetModuleFileName(NULL)) and itself as AMPV.dll. The loader is written with the Run key argument –DaDaBar so it sideloads AMPV.dll on next logon. Ire flagged a function named nfapi::nf_unRegisterDriver as suspicious, but explicitly did not claim active packet interception because the function writes the Run key and does not install a driver; Ire noted the misleading name and treated it as one piece of evidence in its final adjudication.

The sample’s behavior aligned with the LOTUSLITE profile Acronis described: a loader/DLL split, HTTPS C2 carrying a custom binary protocol with a magic DWORD, persistence in HKCU, and traffic camouflaged as Google and Microsoft services. Surface differences include filenames, paths, and the magic value. The binary exports a long list of banking and QR-themed names such as Query_Bank, BankSepah_Iran, BankToman_BMI, BankofChina, qrBankInit, and JpgSymbolToBMP; most of those exports resolve to a message box or ExitProcess and appear to form a hijacked SDK shell so the host EXE can call into the LOTUSLITE entry point.

Ire’s run returned a verdict of "malicious" and produced a function-level chain of evidence. Acronis’s Threat Research Unit documented a loader EXE plus kugou.dll combination and attributed the family to Mustang Panda at moderate confidence based on infrastructure overlap and loader/DLL split. The sample Ire analyzed is the DLL itself, AMPV.dll (VT type pedll). The binary also contains the literal string "BelievemeIamMustang-Panda", which the authors note is not proof of authorship and could bias LLM-driven analysis.

Comparing the two specimens

The two writeups share a behavioral mapping while differing in surface markers. Key side-by-side facts from the source comparison:

• Sample type: Acronis specimen was a loader EXE plus kugou.dll; the Ire sample is the malicious DLL AMPV.dll (VT type pedll).
• Install directory: Acronis reported C:\ProgramData\Technology360NB\; Ire’s sample used C:\ProgramData\SmartPrint\.
• Installed exe: Acronis listed DataTechnology.exe; Ire’s sample used SmartPrintScreen.exe.
• Run-key value: Acronis used Lite360; Ire’s sample used DadaBank.
• Marker arg: Acronis marker was –DATA; Ire’s was –DaDaBar.
• C2 magic: Acronis 0x8899AABB; Ire sample 0xB2EBCFDF.
• Lure: Acronis described a politically themed ZIP and a renaming via Kugou; the Ire sample used a politically themed ZIP and a Venezuela-themed launcher with a fake “PDF corrupted” message box.
• Mustang Panda link: Acronis linked via infra and TTP overlap at moderate confidence; Ire’s sample contains the literal string "BelievemeIamMustang-Panda" but attribution was not made.

VirusTotal tracking for the sample moved from 1 of 72 vendors on May 28 to 7 of 70 on June 4. Vendors adding detections by June 4 included Microsoft (Trojan:Win32/Malgent!MSR), Kaspersky (HEUR:Trojan-Dropper.Win32.Dorifel.gen), Rising, Cynet, Elastic, Kingsoft, and TrendMicro-HouseCall. CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, and ESET did not flag it as of June 4.

Why it matters

Ire’s result shows that static, function-level reverse engineering driven by a language model can surface behavioral detail sufficient to map a sample to an existing family without IOC overlap. That reduces reliance on signature matching and helps detect variants that share tools, tactics, and procedures while avoiding known indicators of compromise. The case also demonstrates a real risk: suggestive strings or export names can bias agent output, producing false leads if the analysis is not careful.

What to watch

Watch VirusTotal and vendor telemetry for whether CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, and ESET begin flagging the file or related hashes. Also watch Project Ire’s public project page and the Github report for further samples and for changes in how agentic analyses handle misleading strings and export surfaces.