Lotus Wiper: New Destructive Malware Targets Venezuelan Energy Sector

TL;DR

A new, undocumented data wiper named Lotus Wiper has been discovered targeting Venezuela’s energy and utilities sector. Identified by Kaspersky researchers, the malware is designed for pure destruction rather than financial gain, employing a multi-stage attack chain to render systems completely inoperable.

Overview of the Attack

Cybersecurity researchers have uncovered a "novel" file wiper, dubbed Lotus Wiper, involved in a series of destructive campaigns against critical infrastructure in Venezuela. The attacks reportedly began in late 2025 and continued into early 2026.

Unlike ransomware, Lotus Wiper contains no extortion mechanisms or payment instructions. Its sole purpose appears to be the total disruption of services by destroying data and recovery mechanisms.

Timeline and Targeted Nature

Evidence suggests the attack was highly focused and meticulously planned:

Compilation: The malware sample was compiled in late September 2025.
Initial Discovery: An artifact was uploaded to a public platform from a machine in Venezuela in mid-December 2025.
Context: The activity occurred weeks before U.S. military action in the region in early January 2026. While a definitive link between the two events has not been established, Kaspersky noted the wiper appeared during a surge of malware activity targeting the same region and sector.

The Attack Chain: A Multi-Stage Process

The deployment of Lotus Wiper is not a single-step event. Instead, it relies on two sophisticated batch scripts to prepare the environment and maximize damage.

Stage 1: Environment Preparation

The first batch script initiates the sequence by weakening system defenses. Interestingly, the script attempts to stop the Windows Interactive Services Detection (UI0Detect) service. Because this feature was removed in versions of Windows after 10 (version 1803), researchers believe the attackers specifically targeted an environment running older operating systems.

The script also:

Checks for NETLOGON shares to determine if the machine is part of an Active Directory domain.
Introduces randomized delays (up to 20 minutes) if shares are unreachable, likely an attempt to evade detection.

Stage 2: Destructive Orchestration

A second batch script handles the "heavy lifting" of system disruption before the final payload is even launched. Actions include:

Enumerating local user accounts and logging off active sessions.
Deactivating network interfaces to isolate the machine.
Running diskpart clean all to wipe logical drives.
Using the robocopy utility to overwrite or delete folder contents.
Utilizing fsutil to create massive files that fill the entire drive, exhausting storage capacity and preventing data recovery.

The Final Payload: Lotus Wiper

Once the environment is primed, the Lotus Wiper executable is launched to finalize the destruction. Its primary functions include:

Deleting Restore Points: Removing the ability to roll back the system.
Physical Sector Overwrites: Writing zeroes across physical sectors.
Journal Clearing: Erasing Update Sequence Numbers (USN) from volume journals.
System-Wide Deletion: Erasing every file on every mounted volume.

Researcher Insights

Kaspersky researchers suggest that the attackers likely had long-term access to the target networks. "The attackers likely had knowledge of the environment and compromised the domain long before the attack occurred," the vendor stated, citing the specific targeting of older Windows functionalities.

Recommendations for Defense

Organizations—particularly those in the utilities and energy sectors—are advised to monitor for the following "living-off-the-land" (LotL) activities:

Changes to NETLOGON shares.
Suspicious use of native Windows utilities like fsutil, robocopy, and diskpart.
Evidence of credential dumping or privilege escalation.

Source

Title: Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack
URL: https://thehackernews.com/2026/04/lotus-wiper-malware-targets-venezuelan.html

Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack