What happened
Kaspersky researchers have analyzed a previously undocumented data-wiping malware called Lotus that was deployed in targeted attacks against energy and utilities organizations in Venezuela in late 2025. The malware was uploaded to a public analysis platform in mid-December from a machine in Venezuela, and Kaspersky published its findings on April 21, 2026.
The attack chain begins with two batch scripts that prepare the target environment before the wiper executes. The first script disables the Windows UI0Detect service and performs XML file checks to coordinate execution across domain-joined systems. The second enumerates users, disables accounts via password changes, logs off active sessions, disables all network interfaces, and deactivates cached logins. It then runs diskpart clean all to overwrite drives with zeros, uses robocopy to overwrite directory contents, and fills remaining disk space using fsutil to complicate data restoration.
The Lotus wiper itself operates at a lower level, interacting directly with physical disks via IOCTL calls. It deletes all Windows restore points, wipes physical drive sectors by overwriting them with zeros, clears the USN journal to remove file system activity traces, and deletes files by zeroing their contents before renaming and removing them. The cycle of drive wiping and restore point deletion is repeated multiple times, leaving affected systems in an unrecoverable state.
The timing aligns with broader geopolitical tensions in Venezuela. Around mid-December 2025, state-owned oil company PDVSA suffered a cyberattack that disabled its delivery systems. There is no public evidence confirming that PDVSA’s systems were wiped in that incident or that Lotus was directly involved.
Who is affected
Energy and utilities organizations in Venezuela are the confirmed targets based on the observed campaign. Given the malware’s design to destroy systems entirely and its deployment across domain-joined environments, any organization in the sector with similar infrastructure configurations faces comparable exposure if the tooling is adopted more broadly.
Why CISOs should care
Lotus is not ransomware. There is no ransom demand, no negotiation, no recovery path. The explicit objective is permanent destruction, and the attack chain is methodical: weaken defenses, isolate the system, then wipe everything including restore points, physical sectors, and the journal records that forensic recovery depends on. For security leaders in energy, utilities, and critical infrastructure, this is a reminder that not every attacker wants money. Some want the lights off and the data gone.
The geopolitical context here is also worth noting. Wiper deployments targeting national energy infrastructure have historically preceded or accompanied broader state-level conflicts, and this campaign fits that pattern.
3 practical actions
- Monitor for Lotus precursor activity in your environment: Kaspersky specifically flags NETLOGON share changes, UI0Detect service manipulation, mass account modifications, network interface disabling, and unexpected use of diskpart, robocopy, and fsutil as early warning indicators of this attack chain.
- Validate offline backup restorability now, not during an incident: Lotus is designed to eliminate every recovery mechanism available to the victim. Backups that are not air-gapped, tested, and regularly validated against actual restoration procedures offer no meaningful protection against a wiper of this design.
- Review domain-joined system isolation capabilities: The malware’s batch scripts are designed to coordinate execution across domain-joined environments. Assess whether your network segmentation and endpoint controls can isolate compromised systems fast enough to prevent lateral spread before the wiper payload executes.
Also in the news today:
- Dozens of Malicious Crypto Apps Land in Apple App Store
- Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
- Italian Regulator Fines National Postal Service Organizations $15 Million for Data Privacy Violations
- Unsecured Perforce Servers Expose Sensitive Data From Major Organizations
- NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
- Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023