Kaspersky reported that a previously undocumented malware strain, Lotus Wiper, was used in targeted attacks against energy and utilities organizations in Venezuela, with activity spanning late 2025 into 2026. The operation used batch scripts including OhSyncNow.bat and notesreg.bat to coordinate execution across victim networks, weaken defenses, disable accounts and logins, alter NETLOGON share access, shut down network interfaces, and otherwise prepare systems for destructive action before launching the final payload. Researchers said the campaign appeared aimed at critical infrastructure disruption rather than extortion, with no ransom demand observed and indications the attackers likely understood the victim environments and may have maintained access for months before deployment.
Once executed, Lotus Wiper was designed to make recovery extremely difficult or impossible by deleting restore points, clearing logs and USN journal entries, overwriting files, mounted volumes, and physical disks with zeroes, and repeatedly wiping sectors through low-level disk IOCTL operations. Kaspersky said the malware was uploaded from a machine in Venezuela and noted temporal overlap with broader regional tensions and a separate cyberattack that disrupted PDVSA delivery systems, though there is no public evidence that PDVSA itself was hit by Lotus. Defenders were advised to watch for precursor behaviors such as UI0Detect manipulation, mass account changes, disabled network interfaces, and suspicious use of tools like diskpart, robocopy, and fsutil, while maintaining validated offline backups.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publicly reported and analyzed the Lotus wiper campaign, describing its destructive capabilities, likely prolonged attacker access, and indicators defenders should monitor. The report framed the activity as a deliberate critical infrastructure disruption campaign rather than financially motivated crime.
Around the same period in December 2025, a separate cyberattack disrupted PDVSA delivery systems during heightened regional geopolitical tensions. Public reporting did not establish that PDVSA was hit by Lotus or suffered data wiping.
In mid-December 2025, a previously undocumented destructive malware later named Lotus was used in targeted attacks against energy and utilities organizations in Venezuela. The attack chain used batch scripts to disable defenses, disrupt access, and prepare systems for irreversible wiping before launching the payload.
Kaspersky said Lotus Wiper was compiled in late September 2025, suggesting the destructive campaign had been prepared for months before it was deployed. This provides an earlier technical origin point for the operation than previously documented.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
darkreading.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcesecurityaffairs.com
Open sourcetherecord.media
Open sourceinfosec.pub
Open sourcesecurelist.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.