Ethical Hacking News
Cybersecurity researchers from Kaspersky have uncovered a previously unknown data wiper known as Lotus Wiper, which has been used in attacks targeting Venezuela's energy systems. The attackers seem to have had prior knowledge of the environment and used sophisticated tactics to cripple the nation's critical infrastructure, leaving its systems inoperable.
The Lotus Wiper is a previously undocumented data wiper malicious software used in attacks targeting Venezuela's energy and utilities sector. The attack utilizes coordinated batch scripts to initiate the destructive phase, weaken system defenses, and disrupt normal operations. The wiper erases recovery mechanisms, overwrites physical drives, and systematically deletes files across affected volumes, leaving systems inoperable. The attack is not motivated by financial gain, indicating a desire to cause significant disruption and harm. The attackers seem to have knowledge of the domain before the attack, suggesting a sophisticated level of planning and highlighting the importance of robust cybersecurity measures.
In a disturbing revelation, cybersecurity researchers from Kaspersky have discovered a previously undocumented data wiper, dubbed Lotus Wiper, which has been used in attacks targeting the energy and utilities sector in Venezuela at the end of last year and the start of 2026. This malicious software was employed in a destructive campaign aimed at crippling the nation's critical infrastructure, leaving its systems inoperable.
According to Kaspersky, two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload. These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown wiper. This coordinated approach underscores the sophisticated nature of the attackers' tactics.
Once deployed, the Lotus Wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, effectively leaving the system in an inoperable state. The attack does not appear to be motivated by financial gain, as no extortion or payment instructions are embedded within the artifact. This indicates that the aggressive wiper activity is not driven by monetary interests but rather a desire to cause significant disruption and harm.
It's worth noting that the sample of the Lotus Wiper was uploaded to a publicly available platform in mid-December 2025 from a machine in Venezuela, weeks before the U.S. military action in the country in early January 2026. While it is currently unclear whether these two events are related, Kaspersky observed that the sample was compiled during a period of increased public reports of malware activity targeting the same sector and region, suggesting the wiper attack is extremely targeted in nature.
The attack chain begins with a batch script designed to trigger a multi-stage sequence responsible for dropping the wiper payload. Specifically, it attempts to stop the Windows Interactive Services Detection (UI0Detect) service, which is used to alert users when a background service running in Session 0 attempts to display a graphical interface or interactive dialog. This setting has been removed from modern versions of Windows.
The script then checks for a NETLOGON share and accesses a remote XML file, after which it checks for the presence of a corresponding file with the same name in a local directory defined previously ("C:\lotus" or "%SystemDrive%\lotus"). Irrespective of whether such a local file exists, it proceeds to execute a second batch script. The local check most likely tries to determine whether the machine is part of an Active Directory domain. If the remote file is not found, the script exits.
In cases where the NETLOGON share is initially unreachable, the script introduces a randomized delay of up to 20 minutes before retrying the remote check. This flexibility in the attack's approach allows it to adapt and overcome potential security measures or systems that are down at the time of the attack.
The second batch script, if not run already, enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and runs the "diskpart clean all" command to wipe all identified logical drives on the system. This comprehensive approach targets all aspects of a compromised system, making recovery extremely challenging.
It also recursively mirrors folders to overwrite existing contents or delete them using the robocopy command-line utility, calculates available free space, and utilizes fsutil to create a file that fills the entire drive to exhaust storage capacity and impair recovery.
Once the compromised environment is prepared for destructive activity, the Lotus Wiper is launched to delete restore points, overwrite physical sectors by writing all zeroes, clear the update sequence numbers (USN) of the volumes' journals, and erase all the system's files for each mounted volume. The attackers likely had knowledge of the environment and compromised the domain long before the attack occurred, given that the files included certain functionalities targeting older versions of the Windows operating system.
Given this extensive detail into the inner workings of the Lotus Wiper, organizations and government organizations are advised to monitor for NETLOGON share changes, potential credential dumping or privilege escalation activity, and the use of native Windows utilities like fsutil, robocopy, and diskpart to perform destructive actions. The fact that the attackers seemed to have knowledge of the domain before the attack suggests a sophisticated level of planning, underscoring the importance of robust cybersecurity measures.
Related Information:
https://www.ethicalhackingnews.com/articles/Lotus-Wiper-Malware-Targets-Venezuelan-Energy-Systems-in-Destructive-Attack-ehn.shtml
https://thehackernews.com/2026/04/lotus-wiper-malware-targets-venezuelan.html
https://cyberpress.org/lotus-wiper-hits-energy/
Published: Wed Apr 22 08:39:14 2026 by llama3.2 3B Q4_K_M
