A previously undocumented data wiper called Lotus Wiper was used in destructive attacks against Venezuela’s energy and utilities sector in late 2025 and early 2026, with the campaign erasing recovery mechanisms, overwriting drive contents and deleting files across affected systems.
KEY FACTS
- Target Energy and utilities organizations in Venezuela
- Timing Activity was seen at the end of 2025 and the start of 2026
- Behavior The wiper deletes restore points and overwrites physical sectors
- Tooling Attackers used batch files and Windows utilities such as diskpart, robocopy and fsutil
- Unknowns It is not known whether the sample upload and U.S. military action in January 2026 are related
The report said two batch scripts started the destructive phase, weakened defenses and then launched the wiper payload. One script tried to stop the Windows Interactive Services Detection service, checked for a NETLOGON share and looked for a related XML file before continuing.
If the remote file was not found, the script exited. When the share was unreachable, it used a randomized delay of up to 20 minutes before retrying. The second script enumerated local accounts, disabled cached logins, logged off active sessions, deactivated network interfaces and ran diskpart clean all.
The disclosure said the malware also mirrored folders with robocopy, filled available disk space with fsutil and then deleted restore points, cleared volume journal data and overwrote physical sectors with zeroes. The sample was compiled in late September 2025 and uploaded from a machine in Venezuela in mid-December 2025.
Kaspersky said the presence of code aimed at older Windows versions suggests the attackers knew the environment and may have had domain access well before the destructive step began. It also said no extortion note or payment request was included.
WHY IT MATTERS
The attack shows how wiper malware can render systems unusable without any financial demand, making recovery the main challenge for victims. Monitoring for NETLOGON activity, privilege escalation and native Windows tools used for destructive actions can help organizations spot similar intrusions earlier.