Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack
Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. Dubbed Lotus Wiper, the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, according to findings from Kaspersky. The Russian cybersecurity vendor said two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload. These scripts coordinate the start of the operation across the network, weaken system defences, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown wiper.
Once deployed, the wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, effectively leaving the system in an inoperable state. No extortion or payment instructions are baked into the artifact, indicating that the aggressive wiper activity is not motivated by financial gain. The attack chain begins with a batch script that triggers a multi-stage sequence responsible for dropping the wiper payload. It attempts to stop the Windows Interactive Services Detection service, checks for a NETLOGON share, and accesses a remote XML file. A second batch script enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and runs the diskpart clean all command to wipe all identified logical drives on the system. It also uses robocopy to recursively mirror folders and fsutil to create a file that fills the entire drive to exhaust storage capacity and impair recovery.
The wiper was uploaded to a publicly available platform in mid-December 2025 from a machine in Venezuela, weeks before the U.S. military action in the country in early January 2026. The sample was compiled in late September 2025. It is currently not known if these two events are related, but Kaspersky noted that the sample was uploaded during a period of increased public reports of malware activity targeting the same sector and region, suggesting the wiper attack is extremely targeted in nature. Given that the files included certain functionalities targeting older versions of the Windows operating system, the attackers likely had knowledge of the environment and compromised the domain long before the attack occurred.
This discovery highlights the ongoing threat of destructive wiper malware targeting critical infrastructure. Unlike ransomware attacks that seek financial gain, wiper attacks are designed purely to destroy data and disrupt operations. The targeting of energy and utilities sectors is particularly concerning given the potential impact on essential services. Organisations operating critical infrastructure should monitor for NETLOGON share changes, potential credential dumping or privilege escalation activity, and the use of native Windows utilities like fsutil, robocopy, and diskpart to perform destructive actions. The use of batch scripts and native Windows tools makes detection more challenging as these are legitimate utilities that can be abused by threat actors.
Click here for the original article.

