A sophisticated and destructive cyberattack, orchestrated by the novel Lotus Wiper malware, has targeted Venezuela's energy and utilities sector. The attack, which occurred in late 2025 and early 2026, aimed to permanently erase data and render systems inoperable, with no ransom demands or financial motives identified.

Key Takeaways

• A new data-wiper malware, dubbed Lotus Wiper, has been used in a destructive campaign against Venezuela's energy sector.

• The attack chain involves multiple batch scripts designed to disable defenses and prepare systems for data destruction.

• Lotus Wiper overwrites physical drives, deletes files, and erases recovery mechanisms, leaving systems unrecoverable.

• The attack appears highly targeted and not financially motivated, possibly linked to geopolitical tensions.

The Attack Unveiled

Cybersecurity researchers have identified a previously unknown data-wiper, named Lotus Wiper, that was deployed in attacks against Venezuela's energy and utilities sector. The campaign, which took place in late 2025 and early 2026, was characterized by its destructive nature, aiming to obliterate data rather than extort payment.

Attack Chain and Methodology

The attack begins with two batch scripts that initiate the destructive phase. These scripts work in tandem to coordinate the operation across the network, weaken system defenses, and disrupt normal operations. They then retrieve, deobfuscate, and execute the Lotus Wiper payload.

Key actions performed by the initial scripts include:

• Disabling the legacy Windows Interactive Services Detection (UI0Detect) service to prevent visible warnings.

• Checking for a remote XML flag file on a NETLOGON share, acting as a network-based trigger.

• Enumerating local user accounts, changing their passwords, and disabling cached logins.

• Logging off active sessions and disabling network interfaces to isolate machines.

• Wiping logical drives using the diskpart clean all command.

• Using robocopy for file mirroring to overwrite or delete contents.

• Utilizing fsutil to create large files that fill remaining disk space, exhausting storage capacity.

Lotus Wiper's Destructive Capabilities

Once deployed, Lotus Wiper systematically erases recovery mechanisms, overwrites the content of physical drives with zeros, and deletes files across affected volumes. This process leaves the targeted systems in an inoperable and unrecoverable state.

The wiper's actions include:

• Deleting Windows System Restore points.

• Writing zeros across every sector of every physical drive.

• Clearing the update sequence numbers (USN) of volume journals.

• Scanning all mounted volumes to delete files, often renaming them with random hexadecimal strings before deletion.

Targeted and Motivated by Destruction

Analysis of the malware indicates that it was compiled in late September 2025 and uploaded to a public platform in mid-December 2025. The absence of any extortion or payment instructions suggests that the primary motivation behind this aggressive wiper activity is not financial gain. Researchers believe the attack is highly targeted, potentially linked to geopolitical tensions in the Caribbean region during late 2025 and early 2026.

Recommendations for Defense

Organizations are advised to monitor for changes in NETLOGON shares, potential credential dumping or privilege escalation activities, and the unusual use of native Windows utilities like , , and . Maintaining robust backup strategies and regularly testing recovery plans are crucial for mitigating the impact of such destructive cyber incidents.

Sources

• Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack, The Hacker News.

• Venezuela energy sector targeted by highly destructive Lotus wiper, Security Affairs.

• Highly destructive Lotus Wiper used in a targeted attack, Securelist.

• New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention, SecurityWeek.

• Hackers Use Lotus Wiper To Destroy Drives In Energy Sector Cyberattack, Cyber Press.