Last year saw targeted attacks against Venezuelan energy and utilities firms employing a new data wiper called **Lotus**. The malware's purpose is complete system destruction. The malware was uploaded to a public platform in mid-December from a Venezuelan machine, and subsequently analyzed by **Kaspersky**. Before the final destructive stage, the attacker uses two batch scripts to weaken defenses and disrupt normal operations. According to researchers, the **Lotus** data-wiping malware is designed to completely destroy systems by overwriting physical drives and eliminating recovery options. "The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state," **Kaspersky** stated in their report. Given the timing of the attacks, the observed activity aligns with geopolitical tensions in the region, which culminated in January with the capture of Venezuela’s then-president, Nicolás Maduro. Around mid-December 2025, the state-owned oil company **Petróleos de Venezuela (PDVSA)** suffered a cyberattack that disabled its delivery systems. The organization blamed the United States for the incident. While there is no direct evidence linking the **Lotus** wiper to the **PDVSA** attack, the timing is notable. ### Preliminary Activity **Kaspersky**'s report details that the attacks begin with the execution of a batch script (OhSyncNow.bat) which disables the Windows *‘UI0Detect’* service and performs an XML file check to coordinate execution across domain-joined systems. A second-stage script (notesreg.bat) is executed when certain conditions are met. It enumerates users, disables accounts via password changes, logs off active sessions, disables all network interfaces, and deactivates cached logins. The malicious code then enumerates drives and runs *‘diskpart clean all’* to overwrite them with zeros. It also uses *‘robocopy’* to overwrite directory contents, **Kaspersky** found. In the next phase, it calculates the free space and uses *‘fsutil’* to create a file that fills the disk, making data recovery more difficult. After preparing the environment for data destruction, the batch script decrypts and executes the **Lotus** wiper as the final payload. ### Lotus Wiper Deployment The **Lotus** wiper operates at a lower level, interacting with disks via IOCTL calls, retrieving the disk geometry, clearing USN journal entries, wiping restore points, and overwriting physical sectors, not just logical volumes. The malware performs the following actions: * Enables all privileges in its token to gain administrative-level access. * Deletes all Windows restore points using the Windows System Restore API. * Wipes physical drives by retrieving disk geometry and overwriting all sectors with zeroes. * Clears the USN journal to remove traces of file system activity. * Deletes files by zeroing their contents, renaming them randomly, and removing them (or scheduling deletion on reboot if locked). * Repeats cycles of drive wiping and restore point deletion multiple times. * Updates disk properties using IOCTL_DISK_UPDATE_PROPERTIES after the final wipe. **Kaspersky** recommends that system administrators monitor for NETLOGON share changes, UI0Detect manipulation, mass account changes, and disabling of network interfaces, as these are precursor activities. They also advise that unexpected usage of *‘diskpart,’ ‘robocopy,’* and *‘fsutil’* is a red flag. A general recommendation against wipers and ransomware is to maintain regular offline backups and frequently validate their restorability.