Key Findings

• Previously undocumented data wiper dubbed Lotus Wiper deployed against Venezuelan energy and utilities sector in late 2025 and early 2026

• Multi-stage attack uses two batch scripts to disable system defenses before executing the wiper payload, which overwrites drives and deletes all recoverable data

• No ransom demands present, indicating destructive intent rather than financial motivation

• Malware compiled September 2025, uploaded December 2025, suggesting attackers had extended presence in target environment

• Attack targets older Windows versions prior to Windows 10 version 1803, indicating attacker knowledge of specific infrastructure

• Organizations advised to monitor NETLOGON shares, credential abuse, and abuse of native Windows utilities for destructive purposes

Background

Kaspersky researchers identified Lotus Wiper during a period of heightened malware activity targeting Venezuela's critical infrastructure. The discovery came amid regional tensions in late 2025 and early 2026, though the connection between the malware campaign and subsequent military action remains unclear. The wiper represents a departure from typical financially-motivated cybercriminal activity, instead focusing on maximum infrastructure disruption.

Attack Chain and Initial Execution

The attack begins with a batch script called OhSyncNow.bat that checks for specific network conditions. The script attempts to stop the Windows Interactive Services Detection service, a setting only present in pre-Windows 10 version 1803 systems. It then searches for a NETLOGON share and retrieves a remote XML file, likely to verify domain membership. If local Active Directory checks fail, the script retries with randomized delays of up to 20 minutes, suggesting careful operational planning to avoid detection.

System Preparation and Defense Weakening

Once triggered, a second batch script systematically weakens the target environment before the wiper executes. The script enumerates local user accounts, disables cached logins, logs off active user sessions, and deactivates network interfaces to isolate the machine. It then executes diskpart clean all to wipe all identified logical drives. The script uses robocopy to recursively mirror and overwrite folder contents, and deploys fsutil to fill remaining disk space with large files, effectively preventing any recovery attempts through storage exhaustion.

Lotus Wiper Execution and Data Destruction

The final stage launches disguised system executables that decrypt and execute the Lotus Wiper payload with elevated privileges. The wiper deletes Windows restore points to eliminate recovery options, then systematically overwrites all physical disks by writing zeroes to every sector. It clears update sequence numbers from volume journals and uses FindFirstVolumeW and FindNextVolumeW API calls to identify all mounted volumes. For each volume, the wiper deletes all files, overwrites content with zeroes, renames files with random identifiers, and forces deletion. Files locked by running processes are scheduled for removal on reboot. The wiper repeats disk destruction multiple times and updates system disk properties to ensure changes persist, ultimately rendering systems completely unrecoverable.

Operational Indicators and Attacker Knowledge

The presence of targeting for older Windows operating systems suggests the attackers possessed detailed knowledge of the victim infrastructure before launching the attack. Kaspersky analysts determined the malware was compiled in late September 2025 but remained dormant until December when it was uploaded to a public platform from a Venezuelan machine. This timeline indicates an extended pre-attack presence in the environment, likely involving early reconnaissance, credential acquisition, and privilege escalation before the destructive payload was deployed.

Recommended Defensive Measures

Organizations should audit permissions on domain shares and continuously monitor NETLOGON for unauthorized modifications, since shared files can trigger coordinated attacks across entire networks. Security teams should watch for unusual credential abuse, token theft, and privilege escalation attempts in system logs. Detection of atypical use of built-in Windows utilities like fsutil, robocopy, and diskpart should trigger immediate investigation. Strong backup testing and recovery planning are essential to ensure critical systems and data can be restored following destructive incidents. Given the targeted nature of this campaign, organizations operating in critical infrastructure sectors should assume adversaries may have established persistent access long before any visible destructive activity occurs.

Sources

• https://thehackernews.com/2026/04/lotus-wiper-malware-targets-venezuelan.html

• https://securityaffairs.com/191106/malware/venezuela-energy-sector-targeted-by-highly-destructive-lotus-wiper.html

• https://malwaretips.com/threads/new-lotus-wiper-targets-venezuelan-%F0%9F%87%BB%F0%9F%87%AA-energy-and-utilities-with-multi-stage-deployment.141012/

• https://www.clearphish.ai/news/lotus-data-wiper-venezuela-energy-sector-cyberattack

• https://securelist.com/tr/lotus-wiper/119472/