An autonomous agent read an unknown Windows backdoor function by function and called it a member of the LOTUSLITE family, a politically themed espionage tool, that most endpoint protection platforms had not yet cataloged.
A Windows dynamic-link library whose hash appeared in no public malware catalog, and which none of the major endpoint detection platforms flagged as of early June 2026, was identified as a LOTUSLITE-family backdoor by Microsoft's Project Ire autonomous malware-classification agent. The agent reached the verdict in a single decompiler-driven pass, producing a function-by-function behavioral report and an auditable chain of evidence, then declined to name the threat actor the binary itself identifies in cleartext.
LOTUSLITE is a Windows backdoor family documented by Acronis's Threat Research Unit as a politically themed lure sideloaded through a renamed Tencent KuGou music player. Acronis attributes the family to the Mustang Panda cluster at moderate confidence, based on infrastructure overlap and shared loader and DLL mechanics. Ire's verdict rests on behavioral alignment, not on an indicator-of-compromise match, because the sample shares the family's tool-and-tactic shape but none of its known fingerprints. Surface details differ: filenames and paths shift between samples, and the magic value in this binary's custom command-and-control protocol is 0xB2EBCFDF, not the 0x8899AABB that Acronis documented.
The behaviors that put it in the family are recognizable to a reverse engineer. The loader pulls a side-loaded DLL (AMPV.dll in this case) and reaches into the Windows Registry under HKCU\...\Run with a -DaDaBar flag for persistence. It opens an interactive shell over named pipes, enumerates directories, runs file primitives, and ships stolen content in chunks to a command server whose traffic is camouflaged as Google and Microsoft service calls. Ire walked through the binary in a single tool call, according to the Microsoft Research blog post, and produced a verdict without human steering. The full behavioral report is published on GitHub.
Two things make the result worth reading carefully. First, Microsoft Research is the same organization evaluating the system it built, which means the "blind" framing is a vendor posture, not an independent benchmark. The agent reached a malicious verdict using only decompiler-based tools, and the verdict is auditable, but the test was not adversarial. Second, the analyzed binary contains the literal string "BelievemeIamMustang-Panda." Ire read the string, then declined to attribute the sample. That is a deliberate epistemic choice: a self-attribution field in a binary is a string, not evidence, and Ire's report stays on static behavior analysis. Naming the actor would have been a single inference the tool chose not to make.
The detection landscape is the part most likely to shift before this story runs. On May 28, 2026, one of 72 VirusTotal vendors flagged the sample. By June 4, the count had moved to seven of seventy, with Microsoft, Kaspersky, Rising, Cynet, Elastic, Kingsoft, and Trend Micro HouseCall all reporting. Major endpoint detection and response platforms, including CrowdStrike Falcon, SentinelOne, Sophos, Trellix, Palo Alto Networks, and ESET, still missed it as of the same snapshot, per the Microsoft Research post. Both figures are time-sensitive. The vendor detection count and the EDR gap will move, and any claim that "EDRs miss it" should be re-checked against the current state before publication.
Ire also flagged something the reader should know about: the binary's function names reference NetFilter and driver unregistration routines that look like they describe kernel-level driver behavior. Ire called the naming pattern suspicious but stopped short of asserting that the sample is actually a driver. That distinction matters. Misclassifying a user-mode DLL as a kernel-mode threat would create a phantom detection, a false alarm that erodes trust in the agent. The choice to flag the pattern without escalating the verdict is part of why the report reads as careful rather than confident.
The honest way to read this is as a different lens, not a replacement. Signature-based detection and endpoint telemetry are silent on a sample that has never been seen before, which is exactly the case where an agent that can read code without a prior fingerprint becomes useful. Ire behaves more like a junior reverse engineer working a cold binary than like a signature engine, and the value is in expanding analyst reach on novel samples rather than in displacing the people who do this work. The blind test, the cleartext self-identification, and the moving EDR gap are the reasons a reader should treat the verdict as a real signal without treating it as a final answer.
Watch items for the next reporting cycle: a fresh VirusTotal count on the same SHA-256, a check on whether any of the major EDRs have shipped detection since June 4, and an independent read of the Ire report against the Acronis writeup to confirm the behavioral overlap holds up outside Microsoft Research.