A new and highly destructive malware, dubbed Lotus Wiper, has been identified actively targeting organizations within Venezuela’s energy and utilities sector. Unlike typical ransomware that extorts victims for financial gain, this sophisticated threat is designed purely for destruction, permanently wiping drives and deleting files in a manner that makes data recovery virtually impossible. The discovery comes amidst heightened geopolitical tensions in the Caribbean region during late 2025 and early 2026, suggesting a potentially state-sponsored or politically motivated attack.
Researchers at Securelist identified malicious artifacts uploaded from a Venezuelan machine in mid-December 2025. The malware itself was compiled in late September 2025, indicating a several-month preparation period before its deployment. The analysis revealed clear indicators within the malware samples that pointed to the energy and utilities sector as the intended victim. Crucially, the absence of any ransom demands or payment instructions confirmed its purely destructive nature.
Lotus Wiper: A New Threat to Critical Infrastructure
Lotus Wiper joins a growing list of destructive wiper malware that pose a significant threat to critical infrastructure. These attacks, unlike those seeking financial ransom, aim to cripple operations by irrevocably damaging data. Previous high-profile examples include NotPetya in 2017 and HermeticWiper in 2022, both of which caused widespread disruption and significant financial losses. The targeted nature of the Lotus Wiper attack suggests a strategic effort to disrupt essential services within Venezuela.
The attackers have employed a cunning tactic by disguising the malware as legitimate HCL Domino application components. This sophisticated camouflage, with file names such as nstats.exe, nevent.exe, and ndesign.exe, is designed to blend seamlessly with normal system operations. This strongly suggests that the threat actors had already gained a foothold within the victim’s network, staging these malicious executables after initial backdoor compromises.
How the Infection Chain Works
The attack chain commences with a batch script named OhSyncNow.bat, which acts as the initial trigger for the destructive sequence. This script first targets a specific working directory, typically C:lotus. It then proceeds to disable the Interactive Services Detection service, commonly known as UI0Detect. This service is designed to alert users to background activities, and its disabling helps the attackers operate stealthily. The presence of this service indicates that the attackers are likely targeting older, legacy systems, as it has been removed in later versions of Windows.
A critical network-based trigger mechanism involves the script checking for a remote XML flag file named OHSync.xml located on the domain’s NETLOGON share. The presence of this file across multiple machines signals the attack to commence. Upon detection, a second batch script, notesreg.bat, is executed. This script is designed to run only once and systematically targets user accounts by changing their passwords to random strings, marking them as inactive, disabling cached logins, logging off active sessions, and shutting down all network interfaces using the netsh command. Furthermore, it initiates a `diskpart clean all` command on every logical drive, effectively overwriting all disk content with zeros.
Following the preparation phase orchestrated by the batch scripts, the primary payload, Lotus Wiper, is unleashed. Before execution, it uses XOR decryption to restore its own executable. Once active, it secures administrative privileges, then systematically removes all Windows System Restore points by exploiting the srclient.dll API. Subsequently, it employs low-level IOCTL disk commands to fill each disk sector with zeros. The wiper also leverages fsutil to create a file that consumes all available free disk space, further exacerbating storage capacity issues.
Files are then zeroed out using FSCTL_SET_ZERO_DATA, renamed with random hexadecimal strings, and ultimately deleted. In cases where a file is in use and cannot be immediately deleted, the wiper utilizes the MoveFileExW function to schedule its deletion upon the next system restart. This multi-faceted approach ensures maximum data destruction and operational disruption.
Organizations operating within the energy sector and other critical infrastructure environments are strongly advised to implement robust security measures. This includes rigorously auditing permissions and closely monitoring file activity on domain shares, with a particular focus on the NETLOGON share for any unauthorized modifications. Regular review of security logs for signs of credential abuse, token manipulation, or privilege escalation attempts is paramount.
Additionally, vigilance against unusual usage of built-in Windows utilities such as fsutil, robocopy, and diskpart is crucial, as attackers frequently exploit these native tools to evade detection by traditional security solutions. Securing backup systems and conducting routine tests of data restoration procedures are essential to guarantee recovery capabilities, even in the event of a destructive cyber incident. The ongoing geopolitical landscape suggests that similar, targeted attacks on critical infrastructure could persist.