{"id":675,"date":"2026-04-22T11:53:01","date_gmt":"2026-04-22T11:53:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=675"},"modified":"2026-04-22T11:53:01","modified_gmt":"2026-04-22T11:53:01","slug":"lotus-wiper-malware-targets-venezuelan-energy-systems-in-destructive-attack","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=675","title":{"rendered":"Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 22, 2026<\/span><\/span>Malware \/ Critical Infrastructure<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026.<\/p>\n

Dubbed Lotus Wiper<\/strong>, the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, per findings from Kaspersky.<\/p>\n

\u00abTwo batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload,\u00bb the Russian cybersecurity vendor said<\/a>. \u00abThese scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown wiper.\u00bb<\/p>\n

Once deployed, the wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, effectively leaving the system in an inoperable state.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

No extortion or payment instructions are baked into the artifact, indicating that the aggressive wiper activity is not motivated by financial gain. It’s worth noting that the wiper was uploaded to a publicly available platform in mid-December 2025 from a machine in Venezuela, weeks before the U.S. military action in the country<\/a> in early January 2026. The sample was compiled in late September 2025.<\/p>\n

It’s currently not known if these two events are related, but Kaspersky noted that the sample was uploaded \u00abduring a period of increased public reports of malware activity targeting the same sector and region,\u00bb suggesting the wiper attack is extremely targeted in nature.<\/p>\n

The attack chain begins with a batch script that triggers a multi-stage sequence responsible for dropping the wiper payload. Specifically, it attempts to stop the Windows Interactive Services Detection (UI0Detect) service, which is used to alert users when a background service running in Session 0 attempts to display a graphical interface or interactive dialog.<\/p>\n

UI0Detect has been removed from modern versions of Windows. The presence of such a setting indicates that the batch script is designed to operate on machines running versions prior to Windows 10 version 1803, which eliminated the feature.\u00a0<\/p>\n

The script then checks for a NETLOGON share and accesses a remote XML file, after which it checks for the presence of a corresponding file with the same name in a local directory defined previously (\u00abC:\\lotus\u00bb or \u00ab%SystemDrive%\\lotus\u00bb). Irrespective of whether such a local file exists, it proceeds to execute a second batch script.<\/p>\n

\u00abThe local check most likely tries to determine whether the machine is part of an Active Directory domain,\u00bb Kaspersky said. \u00abIf the remote file is not found, the script exits. In cases where the NETLOGON share is initially unreachable, the script introduces a randomized delay of up to 20 minutes before retrying the remote check.\u00bb<\/p>\n

The second batch script, if not run already, enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and runs the \u00abdiskpart clean all\u00bb command to wipe all identified logical drives on the system.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

It also recursively mirrors folders to overwrite existing contents or delete them using the robocopy command-line utility, and calculates available free space and utilizes fsutil to create a file that fills the entire drive to exhaust storage capacity and impair recovery.<\/p>\n

Once the compromised environment is prepared for destructive activity, the Lotus Wiper is launched to delete restore points, overwrite physical sectors by writing all zeroes, clear the update sequence numbers (USN) of the volumes’ journals, and erase all the system’s files for each mounted volume.<\/p>\n

Organizations and government organizations are advised to monitor for NETLOGON share changes, potential credential dumping or privilege escalation activity, and the use of native Windows utilities like fsutil, robocopy, and diskpart to perform the destructive actions.<\/p>\n

\u00abGiven that the files included certain functionalities targeting older versions of the Windows operating system, the attackers likely had knowledge of the environment and compromised the domain long before the attack occurred,\u00bb Kaspersky said.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 22, 2026Malware \/ Critical Infrastructure Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year…<\/p>\n","protected":false},"author":1,"featured_media":676,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[220,1355,1354,1352,42,224,78,1353,823],"class_list":["post-675","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attack","tag-destructive","tag-energy","tag-lotus","tag-malware","tag-systems","tag-targets","tag-venezuelan","tag-wiper"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=675"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/675\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/676"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}