{"id":23453,"date":"2026-06-12T22:53:03","date_gmt":"2026-06-12T22:53:03","guid":{"rendered":"https:\/\/globalnewstoday.uk\/index.php\/2026\/06\/12\/inside-project-ires-discovery-of-an-evasive-malware-sample-microsoft\/"},"modified":"2026-06-12T22:53:03","modified_gmt":"2026-06-12T22:53:03","slug":"inside-project-ires-discovery-of-an-evasive-malware-sample-microsoft","status":"publish","type":"post","link":"https:\/\/globalnewstoday.uk\/index.php\/2026\/06\/12\/inside-project-ires-discovery-of-an-evasive-malware-sample-microsoft\/","title":{"rendered":"Inside Project Ire\u2019s discovery of an evasive malware sample &#8211; Microsoft"},"content":{"rendered":"<p> \t\t\t\tPublished\t\t\t\t<time itemprop=\"datePublished\" datetime=\"2026-06-12T13:30:48-07:00\"> \t\t\t\t\tJune 12, 2026\t\t\t\t<\/time>  \t\t\t\t\t\t\t<br \/> \t\t\t\t\tBy\t\t\t\t\t\t\t\t\t\t\t<span class=\"msr-authors-list--author\"> \t\t\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/bcaswell\/\" class=\"msr-authors-list--url\" data-bi-cn=\"Brian Caswell\"> \t\t\t\t\t\t\t\t<span itemprop=\"author\"> \t\t\t\t\t\t\t\t\tBrian Caswell\t\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t \t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"msr-authors-list--separator\">,<\/span> \t\t\t\t\t\t\t<span class=\"msr-authors-list--title\"> \t\t\t\t\t\t\tPrincipal Security Engineer\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t\t\t\t\t\t<\/span>  \t\t\t\t\t\t\t\t\t\t\t<span class=\"msr-authors-list--author\"> \t\t\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/bobfleck\/\" class=\"msr-authors-list--url\" data-bi-cn=\"Bob Fleck\"> \t\t\t\t\t\t\t\t<span itemprop=\"author\"> \t\t\t\t\t\t\t\t\tBob Fleck\t\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t \t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"msr-authors-list--separator\">,<\/span> \t\t\t\t\t\t\t<span class=\"msr-authors-list--title\"> \t\t\t\t\t\t\tSenior Security Engineer\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t\t\t\t\t\t<\/span>  \t\t\t\t\t\t\t\t\t\t\t<span class=\"msr-authors-list--author\"> \t\t\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/walkerm\/\" class=\"msr-authors-list--url\" data-bi-cn=\"Mike Walker\"> \t\t\t\t\t\t\t\t<span itemprop=\"author\"> \t\t\t\t\t\t\t\t\tMike Walker\t\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t \t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"msr-authors-list--separator\">,<\/span> \t\t\t\t\t\t\t<span class=\"msr-authors-list--title\"> \t\t\t\t\t\t\tResearch Manager\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t\t\t\t\t\t<\/span>  \t\t\t\t\t\t\t\t\t<br \/>Share this page<br \/>We pointed <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/project\/project-ire\/\" type=\"msr-project\" id=\"1144806\">Project Ire<\/a>, Microsoft&#8217;s autonomous malware-classification agent, at a malware sample\u2014blind\u2014and asked for a verdict. The sample is a variant of LOTUSLITE, a Windows DLL backdoor recently documented by Acronis. Our copy&#8217;s hash isn&#8217;t in their IOC list, and as of June 4, most major EDRs (CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, ESET) still don&#8217;t flag it as malware. Ire produced a function-by-function behavioral report\u2014install routine, C2 packet layout, command IDs, persistence mechanism, obfuscation\u2014that lines up with Acronis&#8217;s published analysis. One decompiler-based run, no human priors.<br \/>This is what behavioral, agentic reverse engineering can achieve when signature matching and manual inspections fall short. Variants that share TTPs but not indicators of compromise (IOC) get caught instead of slipping past signature lists. Novel malware classification is a domain with no automatic validator, requiring in-depth investigation and holistic understanding of the software\u2019s behaviors to surface and determine intent. Ire operates without context: no origin metadata, no telemetry, no analyst prompt. It invokes decompilers and binary-analysis tools, builds an auditable chain of evidence, and reaches a malicious-or-benign verdict.<br \/>Acronis&#8217;s Threat Research Unit (TRU) <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/www.acronis.com\/en\/tru\/posts\/lotuslite-targeted-espionage-leveraging-geopolitical-themes\/\" type=\"link\" id=\"https:\/\/www.acronis.com\/en\/tru\/posts\/lotuslite-targeted-espionage-leveraging-geopolitical-themes\/\" target=\"_blank\" rel=\"noopener noreferrer\">published a writeup<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> on LOTUSLITE, a DLL backdoor delivered through a politically themed ZIP, sideloaded through a renamed Tencent KuGou launcher. They attribute it to Mustang Panda at moderate confidence based on infrastructure overlap and the loader\/DLL split. Hunting on VirusTotal for samples whose behavior matched the report, we surfaced one whose SHA-256 doesn&#8217;t appear in Acronis&#8217;s IOC list.<br \/>The sample:\u202f<a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/www.virustotal.com\/gui\/file\/47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653\" type=\"link\" id=\"https:\/\/www.virustotal.com\/gui\/file\/47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653\" target=\"_blank\" rel=\"noopener noreferrer\">47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>. When we picked it up on May 28, VirusTotal showed\u202f1 of 72 vendors\u202fflagging it.<br \/>A week later, that rose to 7 of 70. The cluster: Microsoft\u202fTrojan:Win32\/Malgent!MSR, Kaspersky\u202fHEUR:Trojan-Dropper.Win32.Dorifel.gen, Rising\u202fDropper.Dorifel!8.31E (CLOUD), Cynet (score 100), Elastic (moderate confidence), Kingsoft, TrendMicro-HouseCall. With Microsoft now flagging, VT&#8217;s popular threat label has shifted to\u202fdropper.dorifel \/ malgent. CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto, and ESET still miss it. VT lists the file type as\u202fpedll\u202f(PE DLL) and the filename as\u202fSmartPrintScreen.Print.<br \/>We analyzed the sample with Ire, using only its decompiler-based tools through a single tool call. Ire&#8217;s verdict was\u202f\u201cmalicious\u201d; you can review the complete report <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fproject-ire%2Fblob%2Fmain%2Freports%2F47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653.md&#038;data=05%7C02%7Csmithsarah%40microsoft.com%7Cabbc5bb6be7e4ddca50b08dec7d70737%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C639167923516521150%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&#038;sdata=rr4gCWnGCAHITM4ARAtVXqu66UzUVqByMacq%2BsOmNQ8%3D&#038;reserved=0\" target=\"_blank\" rel=\"noopener noreferrer\">on Github<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>.<br \/>One noteworthy observation in <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/github.com\/microsoft\/project-ire\/blob\/main\/reports\/47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653.md\" type=\"link\" id=\"https:\/\/github.com\/microsoft\/project-ire\/blob\/main\/reports\/47e51e82229e80a387c3cb100d39d3705e6360bbf9bfa1601dbc484e8d02e653.md\" target=\"_blank\" rel=\"noopener noreferrer\">Ire\u2019s report<span class=\"sr-only\"> (opens in new tab)<\/span><\/a> is worth highlighting first. Ire flagged the nfapi::nf_unRegisterDriver and NetFilter naming as suspicious but explicitly did\u202fnot\u202fclaim active packet interception. The function in question writes the Run key; it does not install a driver. This is where LLM-driven analysis can go wrong: suggestive strings can steer the verdict. A function called nf_unRegisterDriver sounds\u202flike it does kernel-level work, and a less thorough agent would write that into the report. Downstream defenders would then chase a phantom, building detection rules for behavior that may or may not be there. Ire flagged the misleading name and considered the behavior as one piece of the evidence during its final adjudication of malice.<br \/>Comparing Ire\u2019s output with Acronis\u2019 report, the sample we analyzed matches the behavioral profile of the LOTUSLITE family of malware. Both show a loader\/DLL split, HTTPS C2 carrying a custom binary protocol with a magic DWORD, interactive shell over pipes, directory enumeration, file primitives, chunked upload, HKCU persistence, and traffic camouflaged as Google and Microsoft services. The surface details differ\u2014filenames, paths, magic value\u2014but the underlying behaviors align. Ire correctly identified this sample as part of the same family of malware because of the behaviors it was able to identify through decompilation and reverse engineering, not on string match alone.<br \/>Because the sample is a DLL (pedll\u202fper VT), the sample&#8217;s install routine reads differently than it might look at first. The DLL copies two files into C:ProgramDataSmartPrint: the loader EXE that sideloaded it (its host process, obtained via GetModuleFileName(NULL), written as\u202fSmartPrintScreen.exe) and itself (AMPV.dll, the analyzed sample). The Run key points at the loader with\u202f&#8211;DaDaBar. On the next logon, the loader runs and sideloads AMPV.dll from the install path. This is the same Acronis-identified pattern but with different filenames.<br \/>This also explains the binary&#8217;s strange export surface. The DLL exports a long list of banking and QR-themed names (Query_Bank,\u202fBankSepah_Iran,\u202fBankToman_BMI,\u202fBankofChina,\u202fqrBankInit,\u202fJpgSymbolToBMP, and others), most of which resolve to a message box or ExitProcess. The shape suggests a hijacked banking\/QR SDK shell, repurposed so the host EXE can call any one of those exports via GetProcAddress and reach the LOTUSLITE entry point. Acronis names theirs DataImporterMain. The Ire report does not surface a matching entry-point name, but it identifies that the behavioral shape is the same.<br \/>Acronis attributes the malware family to Mustang Panda at moderate confidence based on infrastructure and TTPs we don&#8217;t have access to, while our sample directly contains a literal actor-name string \u201cBelievemeIamMustang-Panda\u201d with no obfuscation. A string isn&#8217;t direct proof of authorship; it could be a developer artifact, a trophy, or a deliberate plant. While we are not making an attribution call, we note that the binary names the same actor that Acronis named through other means, and we leave the question open. Another consideration to make for this finding: a string like this can function as adversarial input to LLM-driven analysis, biasing the verdict.<br \/> \t\t<span class=\"px-4 bg-white display-inline-block font-weight-semibold small\">Spotlight: Microsoft research newsletter<\/span> \t<br \/>Stay connected to the research community at Microsoft.<br \/>Ire statically reverse-engineers binaries and identifies the behavior from the function to the system level to describe what the software does and determine a verdict. The verdict of this sample came from a single Ire run because of the specific detail Ire was able to surface: function roles, packet layout, command IDs, persistence registry keys, and decoy strings. Ire never named LOTUSLITE in its report or chain of evidence. The family mapping is ours, after the fact, comparing Ire\u2019s report against Acronis report. Ire described the behavior precisely enough to make the mapping straightforward of this sample to LOTUSLITE.<br \/>Stay up to date on the latest findings and other interesting sample detections from Project Ire by following along on our <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/project\/project-ire\/\" type=\"msr-project\" id=\"1144806\">project page<\/a>.<br \/>Principal Security Engineer<br \/>Senior Security Engineer<br \/>Research Manager<br \/> \t\t\t\t\t\t\tFollow us:\t\t\t\t\t\t<br \/> \t\t\t\t\t\t\tShare this page:\t\t\t\t\t\t<\/p>\n<p><a href=\"https:\/\/news.google.com\/rss\/articles\/CBMikgFBVV95cUxNTmdOU3lYdmhCTUVBeVhpT09PZktKaUNzQ2xBN1RkeGtnbWZMNlRPS1JJVHJ0TEh4Y19YcmxPR25SMVRpcVR0Z2U2NUtlanVrSVJwazMtV2VVTEFkN3pGbVhtVDVyUFhvSTEtcnZ6OGNoaHNHR2Y3SmtnbF9NbEJLLXBVLXd5NnBCbXg1LUkyUHNZZw?oc=5\">source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Published June 12, 2026 By Brian Caswell , Principal Security Engineer Bob Fleck , Senior Security Engineer Mike Walker , Research Manager Share this pageWe pointed Project Ire, Microsoft&#8217;s autonomous malware-classification agent, at a malware sample\u2014blind\u2014and asked for a verdict. The sample is a variant of LOTUSLITE, a Windows DLL backdoor recently documented by Acronis. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":23454,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-23453","post","type-post","status-publish","format-standard","has-post-thumbnail","category-science"],"_links":{"self":[{"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/posts\/23453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/comments?post=23453"}],"version-history":[{"count":0,"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/posts\/23453\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/media\/23454"}],"wp:attachment":[{"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/media?parent=23453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/categories?post=23453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/globalnewstoday.uk\/index.php\/wp-json\/wp\/v2\/tags?post=23453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}