Lotus Wiper: Destructive New Malware Hits Venezuela's Energy Sector

-

Cybersecurity researchers at Kaspersky have uncovered a previously unknown data wiper malware, dubbed Lotus Wiper, that was used in a targeted destructive campaign against Venezuela's energy and utilities sector in late 2025 and early 2026.

What Is a Wiper?

Unlike ransomware, which locks data and demands payment, a wiper malware has one purpose: to permanently destroy data and render systems completely inoperable. Notably, Lotus Wiper contains no ransom demands or payment instructions, meaning the attack was not financially motivated, it was purely destructive.

How the Attack Unfolded

The attack chain begins with two batch scripts that work together to prepare the environment and deploy the wiper payload. The first script attempts to stop a Windows service related to background process alerts, checks for a NETLOGON network share, and retrieves a remote XML file — a step that researchers believe is used to confirm the machine is part of an Active Directory domain before proceeding.

If the conditions are met, a second script takes over. It enumerates local user accounts, disables cached logins, logs off active sessions, shuts down network interfaces, and runs the Windows built-in "diskpart clean all" command to wipe all identified drives. It also uses native Windows tools like robocopy and fsutil to overwrite folders and completely fill drive storage making recovery far more difficult.

Once the environment is sufficiently weakened, Lotus Wiper itself is launched. It removes system restore points, overwrites physical drive sectors with zeroes, clears volume journal records, and deletes all files across every mounted volume effectively destroying the system entirely.

A Targeted and Pre-Planned Operation

The malware sample was compiled in late September 2025 and uploaded to a public analysis platform from a machine in Venezuela in mid-December 2025, weeks before the U.S. military intervention in the country in January 2026. Whether the two events are directly connected remains unknown.

What is clear, however, is that the attackers had detailed knowledge of the target environment. The malware includes specific logic for older versions of Windows (pre-Windows 10 version 1803), suggesting the attackers had already compromised the network long before launching the destructive phase.

What Organizations Should Watch For

Security teams are advised to monitor for unusual changes to NETLOGON shares, signs of credential dumping or privilege escalation, and suspicious use of native Windows utilities like fsutil, robocopy, and diskpart, particularly when used in combination or in automated scripts.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more