Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack
Cybersecurity researchers from Kaspersky have discovered a previously undocumented data wiper named Lotus Wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. The destructive campaign has specifically targeted the energy and utilities sector in Venezuela. Two batch scripts initiate the destructive phase by preparing the environment and executing the final wiper payload across the network. The attack leaves systems in an inoperable state with no extortion or payment demands attached.
The attack begins with a batch script that drops the wiper payload. It stops the Windows Interactive Services Detection service, checks for a NETLOGON share, and accesses a remote XML file. A second batch script enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and runs the diskpart clean all command to wipe all identified logical drives. The script also mirrors folders to overwrite existing contents, deletes them using robocopy, and fills the entire drive using fsutil to exhaust storage capacity. Once launched, Lotus Wiper deletes restore points, overwrites physical sectors with zeroes, clears update sequence numbers, and erases all system files on each mounted volume.
No extortion or payment instructions were found in the malware, indicating the attack is not financially motivated. The wiper was uploaded to a public platform in mid-December 2025 from a machine in Venezuela. Kaspersky noted the sample was uploaded during a period of increased reports of malware activity targeting the same sector and region, suggesting the attack is extremely targeted in nature. The presence of functionality targeting older versions of Windows indicates attackers likely had knowledge of the environment and compromised the domain long before the attack occurred.
This attack represents a concerning escalation in destructive cyber operations targeting critical infrastructure. The absence of financial motivation suggests either state-sponsored activity or politically motivated disruption. Organisations defending critical infrastructure should monitor for NETLOGON share changes, credential dumping, privilege escalation, and the use of native Windows utilities like fsutil, robocopy, and diskpart for suspicious activity.
Click here for the original article.

