Cyber operations and attempted sabotage targeting national power grids amid Venezuela and Poland crises
Reporting described multiple state-linked cyber activities tied to geopolitical events, including a phishing campaign attributed with moderate confidence to China-nexus espionage group Mustang Panda (aka UNC6384, Twill Typhoon) that used the capture of Venezuelan President Nicolás Maduro as a lure to target US government agencies and policy organizations. Acronis researchers identified a ZIP lure (“US now deciding what’s next for Venezuela”) containing a legitimate executable side-loaded with a hidden DLL backdoor dubbed Lotuslite, though it remains unclear whether any targets were successfully compromised.
Separately, unnamed US officials cited by The New York Times claimed a “precise” US cyber operation—reportedly involving US Cyber Command—briefly disrupted electricity in Caracas and interfered with Venezuelan military radar to support the helicopter mission that captured Maduro, but public technical details of the methods used were not provided. In Europe, Poland said it repelled what it described as its most serious cyberattack on energy infrastructure in years after attackers targeted communications between distributed renewable generation (solar and wind) and electricity distribution operators, an incident officials said came close to a blackout and “everything points to” **Russian sabotage,” while withholding specific technical indicators or a formal threat-actor attribution.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Acronis attributes Lotuslite campaign to Mustang Panda
Acronis assessed with moderate confidence that the Lotuslite activity was linked to the China-associated espionage group Mustang Panda, also known as UNC6384 and Twill Typhoon. The attribution was based on infrastructure and technical overlaps observed during analysis.
Mustang Panda launches Venezuela-themed phishing campaign against U.S. targets
Acronis Threat Research Unit reported that a China-linked espionage campaign used Venezuela-themed attachments to target U.S. government agencies and policy organizations. Researchers said the lure appeared to capitalize on the reported capture of Nicolás Maduro and involved a DLL-sideloading chain delivering the Lotuslite backdoor.
U.S. operation reportedly disrupts Caracas power and radar during Maduro capture
Unnamed U.S. officials told The New York Times that a purported U.S. cyber operation briefly disrupted electricity in Caracas and targeted Venezuelan military radar defenses during the mission to capture President Nicolás Maduro. The report said most residents lost power for only minutes, while some neighborhoods near the military base where Maduro was seized experienced outages lasting up to three days.
Researchers discover Lotuslite malware sample on VirusTotal
In early January, researchers identified a ZIP archive uploaded to VirusTotal containing a legitimate executable and a malicious DLL used to sideload the Lotuslite backdoor. The sample provided evidence of the phishing campaign and its tooling, though Acronis said it was unknown whether any victims were successfully compromised.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
China spies used Maduro capture as lure to phish US agencies • The Register
go.theregister.com
Open sourceWhy I’m withholding certainty that “precise” US cyber-op disrupted Venezuelan electricity - Ars Technica
arstechnica.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Static Tundra Sabotage Attempts Against Poland’s Energy Sector Using DynoWiper
CERT Polska reported **late-2025 sabotage activity** against Poland’s energy sector attributed to the threat actor **Static Tundra**, including coordinated intrusions affecting renewable energy facilities, a large combined heat and power (CHP) plant, and an energy-linked manufacturer. The activity showed a shift from espionage to disruption, including an operational technology (OT) incident in which attackers reached a renewable facility’s **Grid Control Point (GCP)** and executed a shutdown of industrial automation devices. Investigators also observed targeting of **Moxa NPort** serial-to-Ethernet devices, including password changes to lock out operators and deployment of corrupted firmware that could prevent controller startup and require manual recovery. The same reporting described two destructive malware families, **DynoWiper** and **LazyWiper**, used to render systems and data unrecoverable; DynoWiper was documented deleting files from **Mikronika RTU controllers**, while LazyWiper appeared to provide redundant destructive capability. Separately, an opinion piece highlighted that attempted disruption of the Polish distribution grid was **rebuffed and reported**, and used the Poland case (alongside speculative discussion of Venezuela) to argue that energy infrastructure attacks are becoming more common; it provided limited additional technical detail beyond noting ambiguity around attribution and the broader trend toward “democratized” attack tooling.
Mar 21, 2026
Geopolitical Cyber Operations Targeting Critical Infrastructure and Economic Systems
Reporting and commentary highlighted how **state-linked cyber activity** is being used for sustained pressure against critical infrastructure and economic targets rather than isolated, one-off attacks. Taiwan’s government and related reporting described **China-linked probing and “prepositioning”** against Taiwanese critical infrastructure as ongoing and scaling, consistent with reconnaissance and access maintenance objectives that could enable future disruption. Separately, an op-ed argued that U.S. signaling around the ability to “darken” parts of Caracas and reported disruptions affecting Venezuela’s state oil sector illustrate how cyber-enabled interference can function as a tool of state power **below the threshold of open conflict**. A longer-form retrospective on the Russia–Ukraine conflict framed the period as a “full-scale cyber war,” citing the **Kyivstar destructive attack** attributed to **Sandworm** as a landmark incident: attackers reportedly maintained access for months before wiping large portions of the operator’s environment, disrupting telecom and related services. The same piece described Ukraine’s broader incident volume growth and the use of multiple **wiper malware** families, alongside claims of Ukrainian retaliatory operations (e.g., DDoS activity against Russian banking), reinforcing the theme that critical infrastructure and national economic systems are central targets in modern geopolitical cyber campaigns. While one weekly “signals” post also mentioned patch/KEV dynamics and SaaS exposure as near-term risk amplifiers, its primary geopolitical takeaway aligned with the broader pattern of sustained state-linked activity against critical infrastructure.
Mar 21, 2026
Geopolitical Cyber Operations and Critical Infrastructure Disruption Risks
Reporting highlighted how **geopolitical competition is increasingly expressed through cyber operations**, with particular concern around disruption of **critical infrastructure**. One account described a U.S. cyber operation that reportedly **blacked out Caracas** and interfered with Venezuelan air-defense radar as part of an operation that led to **Nicolás Maduro’s capture**, portraying it as a rare, public-facing demonstration of offensive cyber capability and precision effects. Separate reporting framed these developments in a broader pattern of state-linked activity and infrastructure exposure, citing prior power-grid disruption in Ukraine and reporting that Russian hackers briefly took control of a Norwegian dam floodgate, underscoring the potential for cyber activity to create real-world safety and continuity impacts. Other items in the set were forward-looking risk commentary rather than reporting on the same event. A Palo Alto Networks study warned that the **Milan Cortina Winter Olympics** will be a “target-rich” environment for ransomware, fraud, DDoS, phishing, and intelligence collection due to temporary networks and complex third-party dependencies. Additional pieces focused on generalized 2026 risk themes—**cyber risk and AI** in business surveys, **zero trust** project planning, regional CISO predictions about identity and cloud/AI security, and a resilience opinion column drawing parallels to disaster recovery—useful context, but not specific to the Venezuela operation or a single discrete incident.
Mar 21, 2026