Lotus Wiper: The destructive malware that aims to leave the critical systems of the Venezuelan energy sector inoperative

In late 2025 and early 2025 cyber security researchers have identified a destructive malware so far undocumented that was used in a series of attacks directed against the energy and public services sector in Venezuela. The artifact, baptized by the analyses as Lotus Wiper, does not seek extortion: its design aims to leave unusable systems by removing recovery mechanisms and overwriting both files and physical sectors of the disk.

According to the research published by the company that tracked it, the campaign combines batch scripts with a final executable that acts as a mass data draft. The initial scripts are responsible for coordinating the start of action through the network, degrading local defenses and preparing the ground for the execution of the wiper. Preparatory operations include stopping system-specific services, checking and recovering files from shared domain resources, and running Windows native commands both to delete volumes and to force storage filling to make any recovery difficult.

A relevant technical detail is that the code tries to interact with the detection of interactive Windows services (known as UI0Detect). This functionality was removed in modern versions of the operating system, suggesting that the script was designed for machines prior to Windows 10 version 1803. This track, coupled with the use of checks on the typical NETLOGON sharing of Active Directory domains, indicates that the attackers knew the topology and antiquity of the target environment and had most likely obtained persistence in the domain well in advance.

The chain of attack incorporates the execution of legitimate profits of the system itself to achieve destruction. Tools like DISKPART (with the operation "clean all"), ROBOCOPY and FSUTIL are used to clean disks, overwrite files and consume free space until the volume is left without the ability to operate properly. The later wiper completes the work by removing restoration points, writing zeros in physical sectors and resetting records such as the USN journal of volumes, leaving the system in a state from which it is very difficult to recover data without clean backup.

The sample was compiled in September 2025 and, according to public records, was uploaded to a platform accessible from a machine in Venezuela in December 2025, weeks before an American military action was recorded in the country in early January 2025. The researchers point to the temporary coincidence but avoid establishing a direct relationship without further evidence, although they point out that the increase occurred in a period with an increase in public reports of malicious activity against the same sector and region.

For security officials and administrators, this raises a number of practical points of attention. First, the observation of changes in NETLOGON compartments, abnormal access to the domain controller or privilege climbing signs should be treated with the highest priority. Similarly, the unusual use of native profits such as diskpart, romocopy or fsubtle on sensitive servers and workstations is a commitment indicator that deserves immediate research.

In addition to detection, mitigation requires classic but effective preventive measures: network segmentation to limit the scope of a committed domain, minimum privilege principles, tightening of domain controllers and access policies for critical resources. Having isolated, verified backups and regular restoration tests can make a difference against a wiper that erases both local data and recovery points. Public guidelines and tools for response to destructive attacks and ransomware provide good frameworks for action, for example, the authorities' recommendations to protect against ransomware and similar attacks contain measures applicable in these cases: CISA - StopRansomware.

For researchers and detection equipment, keep evidence and logs before cleaning systems is essential for understanding vectors and reach. Record and correlate activity in domain controllers, PowerShell events, critical APIs calls and system commands helps to rebuild the intrusion. Security providers often publish indicators and tactics, techniques and procedures (TTP) after investigating such incidents; in this case, the report that identified the wiper comes from a recognized security company that analyses active threats globally: Kaspersky.

Finally, it should be recalled that the attackers employed in these campaigns do not always respond to economic motivations: the absence of rescue demands and the strength of the erasing point to sabotage or coercion objectives. In critical environments such as energy, where availability is key, the combination of intelligence, preventive protection and preparedness for recovery is the best defense against such aggressive tools as Lotus Wiper.