Cybersecurity experts have identified a new, destructive malware named Lotus Wiper that has been targeting the energy and utilities sector in Venezuela. This malicious software was discovered by Kaspersky researchers and has been actively used in attacks from late last year into the early months of 2026. This campaign is particularly concerning as it aims to cripple critical infrastructure by erasing recovery mechanisms, overwriting physical drives, and deleting files, rendering systems inoperable.
The attack is initiated by two batch scripts that orchestrate the destruction across the network. These scripts disable system defenses and disrupt regular operations to execute the wiper payload. Notably, the attackers have not included any ransom demands, suggesting the motivation is not financial. The malware was uploaded to a public platform in mid-December 2025 from Venezuela, preceding U.S. military actions in the region in early January 2026. While the connection between these events remains unclear, Kaspersky indicates that the attack was highly targeted.
The malware operates specifically on older versions of Windows, evidenced by its attempt to stop the UI0Detect service, which has been removed in Windows 10 version 1803 and later. The scripts also attempt to interact with NETLOGON shares and execute a series of commands that disable logins, log off users, deactivate network interfaces, and wipe drives using the diskpart command. Additionally, it uses robocopy and fsutil commands to further damage the system by filling up storage space and preventing data recovery.
Organizations in Venezuela and similar sectors are advised to stay vigilant for changes in NETLOGON shares, potential credential theft, and the misuse of Windows utilities such as fsutil, robocopy, and diskpart. The attackers' targeting of older Windows systems suggests a deep understanding of the environment, indicating that the compromise may have occurred long before the attack.


