Lotus Wiper Malware Targets Venezuelan Power Systems in Destructive Attack
Cybersecurity researchers have discovered a previously undocumented data eraser that was used in attacks against Venezuela at the end of last year and in early 2026.
It is dipped Lotus WiperA novel file wiper has been used in a malicious campaign targeting the energy and utilities sector in Venezuela, Kaspersky has discovered.
“The two cluster documents are responsible for launching the destructive phase of the attack and preparing the environment to release the final payload,” said a Russian cybersecurity vendor. “These scripts connect the start of work across the network, weaken the system’s defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown eraser.”
Once deployed, the wiper erases recovery modes, overwrites the contents of physical drives, and systematically removes files from all affected volumes, effectively leaving the system in an inactive state.
There are no extortion or payment instructions included in the artifact, indicating that the aggressive wipeout activity is not motivated by financial gain. It is worth noting that the wiper was uploaded to the public domain in mid-December 2025 from a machine in Venezuela, weeks before the US military action in the country in early January 2026. The sample was collected in late September 2025.
It is not yet known if the two events are related, but Kaspersky noted that the sample was uploaded “at a time of increased public reports of malware targeting the same sector and region,” suggesting that the wiper attacks are more targeted in nature.
The attack chain starts with a batch script that initiates a multi-stage sequence responsible for dropping the wiper payload. Specifically, it tries to stop the Windows Interactive Services Detection (UI0Detect) service, which is used to alert users when a background service running in Session 0 tries to display an active user interface or dialog.
UI0Detect has been removed from modern versions of Windows. The presence of such a setting indicates that the batch script is designed to work on machines running versions before Windows 10 version 1803, which removed the feature.
The script then checks the NETLOGON share and accesses the remote XML file, after which it checks for the presence of a corresponding file with the same name in the predefined local directory (“C:lotus” or “%SystemDrive%lotus”). Regardless of whether such a local file exists, it continues to run the second batch script.
“The domain check is probably trying to determine if the machine is part of an Active Directory domain,” Kaspersky said. “If the remote file cannot be found, the script exits. In cases where the NETLOGON share is initially unreachable, the script introduces a random delay of up to 20 minutes before retrying the remote check.”
The second batch script, if not already running, enumerates local user accounts, disables cache access, closes active sessions, enables networking, and runs the “diskpart clean all” command to wipe all logical drives identified in the system.
It also scans folders repeatedly to overwrite existing content or delete them using the robocopy command line utility, and calculates the available free space and uses fsutil to create a file that fills the entire drive to free up storage space and hamper recovery.
Once a vulnerable environment has been prepared for malicious activity, Lotus Wiper is launched to remove restore points, overwrite physical sectors by writing all zeros, erase revision sequence numbers (USN) of journal volumes, and erase all system files for each mounted volume.
Organizations and government agencies are advised to monitor NETLOGON share changes, possible credential dumping or privilege escalation, and the use of native Windows utilities such as fsutil, robocopy, and diskpart to perform malicious actions.
“Since the files include some functionality that targets older versions of the Windows operating system, the attackers may have been aware of the environment and compromised the site long before the attack took place,” Kaspersky said.
