Cybersecurity researchers have identified a previously undocumented data wiping malware named Lotus Wiper that has been used in destructive attacks targeting Venezuela’s energy and utilities sector. According to findings from Kaspersky, the malware was observed in campaigns taking place toward the end of 2025 and continuing into early 2026. The tool is designed specifically for destructive operations, focusing on disabling systems rather than financial exploitation or data theft.
The attack begins with a set of batch scripts that prepare the environment and initiate the destructive phase. These scripts coordinate execution across targeted networks, weaken system defenses, and disrupt normal operations before deploying the final wiper payload. Researchers noted that the scripts are responsible for retrieving, deobfuscating, and executing the malware in a controlled sequence. Once active, Lotus Wiper removes recovery mechanisms, overwrites physical disk contents, and systematically deletes files across all available volumes, rendering affected systems inoperable and unrecoverable through standard restoration methods.
Kaspersky reported that no extortion demands or ransom instructions are included in the malware, indicating that the intent is purely destructive rather than financially motivated. The sample of Lotus Wiper was uploaded to a publicly accessible platform in mid December 2025 from a machine located in Venezuela, with compilation dating back to late September 2025. Researchers also observed that the upload occurred during a period of increased malware activity targeting the same region and industry, suggesting a highly focused and potentially premeditated operation aimed at critical infrastructure disruption.
The initial stage of the attack involves a batch script that attempts to stop the Windows Interactive Services Detection service, also known as UI0Detect, which is responsible for alerting users when system level processes attempt to display interactive elements. The presence of this function suggests that the malware is designed to operate on older Windows environments, specifically versions prior to Windows 10 version 1803, where the feature still existed. The script then checks for the presence of a NETLOGON share and attempts to retrieve a remote XML file. It also verifies whether a corresponding file exists in a local directory such as C:\lotus or %SystemDrive%\lotus, which Kaspersky believes may be used to determine whether the infected machine is part of an Active Directory domain. If the remote file is unavailable, the script introduces a randomized delay of up to twenty minutes before retrying access, indicating a persistence mechanism built into the infection chain.
A second batch script then executes if conditions are met, escalating the attack to system level disruption. It enumerates local user accounts, disables cached logins, logs off active sessions, and disables network interfaces. It then executes the diskpart clean all command, which wipes all logical drives on the system. Additional actions include recursive file overwriting using robocopy, disk exhaustion through fsutil by filling available storage space, and systematic deletion of local data. These steps ensure that both active and stored data become inaccessible while also preventing recovery attempts through conventional system tools.
Once preparation is complete, the Lotus Wiper payload is executed to carry out irreversible destruction. The malware deletes system restore points, overwrites physical disk sectors with zero values, clears update sequence numbers from volume journals, and erases all system files across mounted volumes. Kaspersky noted that the combination of these actions results in full system failure and permanent data loss across affected environments. Security researchers have advised organizations, particularly those in government and energy sectors, to monitor NETLOGON activity, detect unusual use of administrative utilities such as fsutil, robocopy, and diskpart, and investigate potential privilege escalation or credential dumping behavior.
Kaspersky also stated that the inclusion of features targeting older Windows systems suggests attackers likely had prior knowledge of the environment and may have maintained long term access before deploying the final destructive payload.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
