Inside Project Ire’s discovery of an evasive malware sample

At a glance

Project Ire identifies a LOTUSLITE variant that shares TTPs (tools, tactics, procedures) with the public family but none of its indicators of compromise (IOC).

The LLM-driven agent produces a function-by-function behavioral report on the sample without any user interaction to determine whether it is malicious.

The binary names a threat actor in cleartext; the agent declines to attribute and instead focuses on statically analyzing the behaviors.

We pointed Project Ire, Microsoft’s autonomous malware-classification agent, at a malware sample—blind—and asked for a verdict. The sample is a variant of LOTUSLITE, a Windows DLL backdoor recently documented by Acronis. Our copy’s hash isn’t in their IOC list, and as of June 4, most major EDRs (CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, ESET) still don’t flag it as malware. Ire produced a function-by-function behavioral report—install routine, C2 packet layout, command IDs, persistence mechanism, obfuscation—that lines up with Acronis’s published analysis. One decompiler-based run, no human priors.