Cybersecurity researchers have discovered a previously undocumented data wiper used in attacks targeting Venezuela between late last year and early 2026.
According to Kaspersky Lab’s findings, this novel file wiper, called Lotus Wiper, was used in a destructive campaign targeting Venezuela’s energy and utilities sector.
“The two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload,” the Russian cybersecurity vendor said. “These scripts coordinate the initiation of operations across the network, weakening system defenses, and disrupting normal operations before acquiring, deobfuscating, and executing unknown wipers.”
Once the wiper is deployed, it erases the recovery mechanism, overwriting the contents of the physical drive and systematically deleting files across the affected volumes, effectively rendering the system inoperable.
This artifact does not incorporate any extortion or payment instructions, indicating that the aggressive wiper activity is not aimed at financial gain. Notably, Wiper was uploaded from a Venezuelan machine to a public platform in mid-December 2025, weeks before the US military action in the country in early January 2026. Sample compiled in late September 2025.
It is currently unclear whether these two events are related, but Kaspersky noted that the samples were uploaded “at a time when public reports of malware activity targeting the same sectors and regions are increasing,” suggesting that the wiper attacks were highly targeted in nature.
The attack chain begins with a batch script that triggers a multi-step sequence that drops a wiper payload. Specifically, it attempts to stop the Windows Interactive Services Detection (UI0Detect) service. This service is used to alert the user when a background service running in session 0 attempts to display a graphical interface or interactive dialog.
UI0Detect has been removed from recent versions of Windows. The presence of such a setting indicates that the batch script is designed to work on computers running versions of Windows 10 earlier than version 1803, which had this feature removed.
The script then checks the NETLOGON share to access the remote XML file, and then checks if a corresponding file with the same name exists in the previously defined local directory (‘C:\lotus’ or ‘%SystemDrive%\lotus’). Proceed to run the second batch script regardless of whether such a local file exists.
“Local checks are likely to try to determine whether a machine is part of an Active Directory domain,” Kaspersky said. “If the remote file is not found, the script will exit. If the NETLOGON share cannot be reached initially, the script will introduce a random delay of up to 20 minutes before retrying the remote check.”
The second batch script, if not already run, enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and runs the “diskpart clean all” command to erase all identified logical drives on the system.
It also recursively mirrors folders to overwrite existing content, uses the robocopy command line utility to delete folders, calculates available free space, and utilizes fsutil to create files that fill entire drives, exhausting storage space and preventing recovery.
Once the compromised environment is ready for destructive activity, Lotus Wiper is launched to delete restore points, overwrite physical sectors with all zeros, clear the volume’s journal update sequence number (USN), and erase all system files on each mounted volume.
Organizations and government agencies are encouraged to monitor changes to NETLOGON shares, potential credential dumping or privilege escalation activity, and use of native Windows utilities such as fsutil, robocopy, and diskpart to perform destructive actions.
“Given that the files contained specific functionality targeting older versions of the Windows operating system, the attackers likely had knowledge of the environment and could have compromised the domain long before the attack occurred,” Kaspersky said.
Source link
