Lotus Wiper

Cybersecurity analysts have identified a previously undocumented data-wiping malware, now known as Lotus Wiper, deployed in targeted attacks against Venezuela’s energy and utilities sector between late 2025 and early 2026. This malware is designed for maximum destruction, rendering infected systems completely inoperable.

Coordinated Attack Execution: Multi-Stage Deployment

The attack relies on two batch scripts that orchestrate a carefully staged operation. These scripts synchronize activities across the network, weaken system defenses, and disrupt normal operations before initiating the final payload. Their role includes retrieving, deobfuscating, and executing the wiper component, ensuring a seamless transition into the destructive phase.

Systematic Destruction: How Lotus Wiper Operates

Once activated, Lotus Wiper executes a comprehensive data eradication process that eliminates both system functionality and recovery options. Its destructive capabilities include:

• Removal of recovery mechanisms, including restore points
• Overwriting physical drive sectors with zeroed data
• Deletion of files across all mounted volumes
• Clearing of Update Sequence Numbers (USN) in volume journals

These actions collectively ensure that affected systems cannot be restored or rebuilt through conventional means.

Indicators of Intent: Not Financially Motivated

Unlike ransomware, Lotus Wiper contains no extortion messages or payment instructions. This absence strongly suggests that the campaign is not driven by financial objectives but rather by sabotage or geopolitical motives. Notably, the malware sample was uploaded publicly in mid-December 2025 from a Venezuelan system, shortly before U.S. military activity in January 2026. Although no direct link has been confirmed, the timing coincides with increased reports of cyber activity targeting the same sector, indicating a highly focused operation.

Targeting Legacy Systems: Exploiting Outdated Environments

The attack chain begins with a batch script that initiates a multi-stage process. One of its early actions is attempting to disable the Windows Interactive Services Detection (UI0Detect) service. This service, removed in modern Windows versions after Windows 10 version 1803, indicates that the malware is specifically designed to target older operating systems.

The script also checks for the presence of a NETLOGON share and retrieves a remote XML file. It compares this file with a locally stored version in directories such as C:\lotus or %SystemDrive%\lotus. This behavior likely determines whether the system is part of an Active Directory domain. If the remote file is unavailable, the script terminates; otherwise, it proceeds after potentially introducing a randomized delay of up to 20 minutes to retry connectivity.

Environment Preparation: Disabling and Disrupting Systems

The second batch script prepares the compromised system for destruction by systematically weakening its operational state. Its actions include:

• Enumerating local user accounts and disabling cached credentials
• Logging off active user sessions
• Disabling network interfaces
• Executing the diskpart clean all command to erase logical drives

In addition, it leverages native Windows utilities such as robocopy to overwrite or delete files and fsutil to create large files that consume all available disk space, effectively preventing recovery efforts.

Final Payload Execution: Irreversible Damage

After preparation, the Lotus Wiper payload is deployed. It completes the destruction process by deleting restore points, overwriting physical sectors, clearing journal records, and removing all system files across mounted volumes. At this stage, recovery becomes virtually impossible without external backups.

Defensive Recommendations: Monitoring and Mitigation

Organizations, particularly those in critical infrastructure sectors, should adopt proactive monitoring and detection strategies. Key areas of focus include:

Monitoring changes in NETLOGON shares
Detecting credential dumping or privilege escalation attempts
Tracking unusual use of native tools such as fsutil, robocopy, and diskpart

Strategic Insight: Evidence of Prior Compromise

The presence of functionality tailored to outdated Windows environments suggests prior reconnaissance and long-term access. Attackers likely had detailed knowledge of the targeted infrastructure and may have compromised domain environments well before launching the destructive phase.