# Lotus Wiper Targets Venezuelan Energy Sector in Destructive Cyber Campaign  Cybersecurity researchers have uncovered a previously undocumented data wiper, **Lotus Wiper**, which was deployed in attacks targeting Venezuela in late 2025 and early 2026. ## Destructive Campaign Details According to findings from **Kaspersky**, the novel file wiper has been used in a destructive campaign aimed at the energy and utilities sector in Venezuela. The attacks do not seem to be financially motivated. "Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload," the Russian cybersecurity vendor said. "These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown wiper." Once deployed, the wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, rendering the system inoperable. ## Timing and Potential Geopolitical Context Notably, the wiper was uploaded to a public platform in mid-December 2025 from a machine in Venezuela, weeks before the U.S. military action in the country in early January 2026. The sample was compiled in late September 2025. While a direct link remains unconfirmed, **Kaspersky** highlights that the upload occurred "during a period of increased public reports of malware activity targeting the same sector and region," suggesting a highly targeted attack. ## Attack Chain Analysis The attack begins with a batch script that triggers a multi-stage sequence to deploy the wiper payload. The script attempts to stop the **Windows** Interactive Services Detection (UI0Detect) service, designed to alert users when a background service attempts to display a graphical interface. The presence of UI0Detect suggests the script targets systems running versions prior to **Windows** 10 version 1803. The script checks for a NETLOGON share and accesses a remote XML file. It then executes a second batch script after checking for a corresponding local file. "The local check most likely tries to determine whether the machine is part of an **Active Directory** domain," **Kaspersky** explained. "If the remote file is not found, the script exits. In cases where the NETLOGON share is initially unreachable, the script introduces a randomized delay of up to 20 minutes before retrying the remote check." ## Wiper Functionality The second batch script enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and executes the `diskpart clean all` command to wipe all identified logical drives. It also uses `robocopy` to recursively mirror or delete folders, calculates available free space, and utilizes `fsutil` to create a file that fills the entire drive. After preparing the environment, **Lotus Wiper** deletes restore points, overwrites physical sectors with zeroes, clears the update sequence numbers (USN) of the volumes' journals, and erases all the system's files for each mounted volume. ## Mitigation Strategies Organizations are advised to monitor for NETLOGON share changes, credential dumping or privilege escalation activity, and the use of native **Windows** utilities like `fsutil`, `robocopy`, and `diskpart` for destructive actions. **Kaspersky** suggests that the attackers possessed prior knowledge of the environment and compromised the domain long before the attack, given the wiper's targeting of older **Windows** versions.