A wave of destructive cyberattacks against Venezuela’s energy and utilities sector in late 2025 and early 2026 has been linked to a previously unknown data-wiping tool dubbed Lotus Wiper. According to research by Kaspersky, this malware does not encrypt data or demand ransom. Instead, it is engineered to permanently destroy systems, pointing to a non-financial, likely sabotage-driven motivation.
Targeted data‑wiping attacks against critical infrastructure
Kaspersky’s investigation shows that Lotus Wiper was deployed in highly targeted operations against organizations in the energy and utilities segment. For such entities, disruption of IT infrastructure can directly impact access to electricity, water, and other critical public services, amplifying the operational and societal risk.
The Lotus Wiper sample analyzed by researchers was compiled in late September 2025 and uploaded to a public online platform in mid-December from a system located in Venezuela. This timing coincides with a period of heightened malicious activity in the region reported by both local and international observers.
Notably, the artifact contains no ransom note, cryptocurrency wallet addresses, or extortion mechanisms. The absence of any monetization logic reinforces the assessment that the operators’ primary objective is system destruction and destabilization, not financial gain.
This campaign fits a broader global trend in which data wiper malware is used to disrupt and destabilize infrastructure. Previous incidents involving destructive wipers such as Shamoon and NotPetya have led to multi‑billion‑dollar losses and prolonged outages across industrial and governmental networks, underscoring the strategic value of such tools in geopolitical and hybrid-conflict contexts.
Attack chain: batch scripts, Active Directory and the NETLOGON share
Initial stage: environment preparation and coordinated execution
The Lotus Wiper attack is initiated via a Windows batch script that orchestrates a multi-stage procedure to deploy and execute the main wiper component. In its first step, the script attempts to stop the legacy Windows service Interactive Services Detection (UI0Detect), historically used to notify users about service interfaces running in session zero.
Since UI0Detect was removed from modern Windows versions starting with Windows 10 1803, this behavior indicates that the attackers had prior knowledge of the victim environment and were tailoring their tooling to outdated, unpatched systems. Such environments are common in industrial and governmental networks where operating system upgrades are often delayed due to compatibility and operational constraints.
The script next checks for the presence of the NETLOGON network share, a standard component of Active Directory (AD) domains used to distribute logon scripts and policies. It attempts to retrieve a remote XML configuration file and, in parallel, verifies whether a file with the same name exists locally in C:\lotus or %SystemDrive%\lotus. Regardless of the check’s outcome, a second batch script is launched.
According to Kaspersky, this behavior likely serves to detect whether the machine is joined to an AD domain and whether a centralized attack configuration is available. If the remote file on NETLOGON is not found, the script terminates. To handle temporary share unavailability, it includes a random delay of up to 20 minutes before rechecking, complicating behavioral detection and helping synchronize execution across multiple hosts.
Destruction phase: disabling access and erasing systems
The second batch script, executed only once per system, moves the attack into its destructive phase. Its main functions include:
1. Account and session control. The script enumerates local user accounts, disables cached logons, and forcefully terminates active user sessions. This reduces the likelihood that administrators can intervene in real time.
2. Network isolation. By disabling network interfaces, the script effectively cuts the infected host off from the network, hindering remote incident response, forensic acquisition, and centralized management.
3. Disk-level destruction. The command diskpart clean all is executed to wipe the partition structure of detected logical disks. As one of the most destructive native Windows utilities, this step severely damages data integrity at the storage level.
4. Massive file overwrite and space exhaustion. Leveraging robocopy, the script recursively mirrors directories, overwriting and removing existing content. It then uses fsutil to calculate available free space and creates a “filler” file that consumes the remaining capacity. This combination is designed to complicate data recovery and undermine backup and restoration processes.
Lotus Wiper capabilities and impact on recovery
After the environment is prepared, the core Lotus Wiper executable is launched. It performs several critical actions that make system recovery extremely difficult:
• Removal of restore points. All Windows restore points are deleted, eliminating standard rollback options for system recovery.
• Overwriting physical disk sectors. The wiper writes zeros to physical sectors on all attached drives, drastically reducing the chances of successful recovery even with advanced forensic tools.
• Clearing NTFS USN journals. By wiping the Update Sequence Number (USN) journal on NTFS volumes, Lotus Wiper complicates incident reconstruction and hampers attempts to trace file system changes.
• Deletion of system files. System files on each mounted volume are systematically removed, rendering the operating system completely unbootable and forcing a full reinstallation.
Taken together, these actions make offline, isolated backups and robust disaster recovery plans the only viable path to restoration. In many cases, organizations are left facing hardware reimaging and physical on-site intervention across affected systems.
Defensive measures for energy, government and enterprise networks
To reduce exposure to Lotus Wiper–style attacks, organizations in the energy, utilities, governmental and large enterprise sectors should consider the following measures:
1. Monitor critical domain and share activity. Implement continuous monitoring of NETLOGON access patterns, AD domain policy changes, and indicators of credential dumping and privilege escalation. Anomalous modifications in these areas often precede large-scale destructive activity.
2. Control built‑in Windows utilities. Configure SIEM and EDR solutions to detect suspicious use of fsutil, robocopy, diskpart, and batch scripts—especially when they perform mass disk operations or large-scale file manipulation that do not match normal administrative behavior.
3. Modernize and segment legacy systems. The reliance on outdated Windows components in this campaign highlights the risk of unsupported and unpatched systems. Organizations should phase out legacy operating systems, apply security hardening, and strengthen network segmentation, particularly within industrial control system (ICS) and operational technology (OT) environments.
4. Harden backup and recovery processes. Maintain regularly tested, offline or immutable backups of critical systems and data. Conduct realistic recovery exercises simulating total data destruction to validate response plans, staffing, and tooling.
As destructive malware like Lotus Wiper increasingly targets critical infrastructure, proactive detection, disciplined asset management, and resilient backup strategies become essential. Organizations that invest now in visibility across domain controllers, network shares, and administrative activity will be better positioned to contain such attacks, minimize downtime, and safeguard the continuity of vital public and industrial services.
