A New Destructive Malware Emerges in Venezuela
A previously undocumented data-wiping malware known as Lotus was deployed last year against energy and utilities organizations in Venezuela. The malware sample was uploaded to a publicly available analysis platform in mid-December from a machine located within Venezuela, where it was subsequently examined by researchers at Kaspersky.
The campaign stands out for its deliberate, multi-stage approach: before unleashing the final destructive payload, attackers rely on two batch scripts to systematically weaken system defenses and obstruct normal operations, clearing the path for complete data destruction.
Geopolitical Context and Timing
The timing of the discovered activity is notable. It closely aligns with a period of heightened geopolitical tension in Venezuela that culminated on January 3 with the capture of then-president Nicolás Maduro. Around mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) suffered a cyberattack that disabled its delivery systems. The organization publicly blamed the United States for the incident.
It is worth emphasizing, however, that no public evidence currently links the Lotus wiper to the PDVSA attack specifically, nor have the technical details of that intrusion been confirmed. There is no indication that PDVSA's systems were subjected to the same disk-wiping technique described in Kaspersky's analysis.
Preliminary Attack Stages: Setting the Stage for Destruction
According to Kaspersky's report, the attack chain begins with the execution of a batch script named OhSyncNow.bat. This script performs the following initial actions:
- Disables the Windows UI0Detect service
- Performs an XML file check to coordinate execution across domain-joined systems
When specific conditions are satisfied, a second-stage script called notesreg.bat is launched. This script significantly escalates the damage by carrying out a range of hostile operations:
- Enumerating user accounts on the system
- Disabling accounts through forced password changes
- Logging off all active sessions
- Disabling all network interfaces
- Deactivating cached login credentials
The script then enumerates connected drives and invokes diskpart clean all to overwrite them with zeros. It also leverages the built-in Windows tool robocopy to overwrite directory contents, adding another layer of data destruction before the primary payload even executes.
In a subsequent phase, the script calculates available disk free space and uses fsutil to create a file large enough to consume the remaining capacity — a technique designed to make forensic recovery of wiped data significantly harder.
Only after completing these preparatory steps does the batch script decrypt and launch the Lotus wiper as the terminal payload.
How the Lotus Wiper Operates
Unlike the batch scripts, which operate at the operating system level, the Lotus wiper engages with storage hardware at a lower level, interacting with physical disks through IOCTL calls. Kaspersky's analysis outlines a comprehensive set of destructive behaviors:
- Enables all privileges in its process token to obtain administrative-level access
- Deletes all Windows restore points using the Windows System Restore API
- Retrieves disk geometry and overwrites every physical sector with zeroes
- Clears the USN journal to eliminate traces of file system activity
- Deletes files by first zeroing their contents, then renaming them randomly before removal — or scheduling deletion at next reboot if the files are currently locked
- Repeats cycles of drive wiping and restore point deletion multiple times to maximize destruction
- Invokes IOCTL_DISK_UPDATE_PROPERTIES after the final wipe cycle to update disk properties
As Kaspersky describes it:
"The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state."
Detection and Defensive Recommendations
Kaspersky advises system administrators to actively watch for early warning signs that may indicate a Lotus-style attack is being staged. Key behavioral indicators to monitor include:
- Unexpected changes to the NETLOGON share
- Manipulation of the UI0Detect service
- Mass account modifications or password changes
- Bulk disabling of network interfaces
- Unusual or unauthorized invocations of diskpart, robocopy, or fsutil
These activities, while potentially legitimate in isolation, become significant red flags when observed together or in rapid succession.
On a broader defensive note, Kaspersky reiterates guidance applicable to both wiper malware and ransomware threats: organizations should maintain regular offline backups and frequently validate that those backups can actually be restored. In a wiper attack scenario, verified offline backups represent the only reliable path to recovery, since the malware is explicitly designed to eliminate every on-system restoration mechanism.
A Growing Trend of Destructive Attacks on Critical Infrastructure
The emergence of Lotus adds to a growing catalog of wiper malware being used against critical infrastructure globally. The energy and utilities sector remains a high-value target given its operational sensitivity and the cascading real-world consequences of system outages. The Venezuelan incidents underscore how geopolitical tensions increasingly manifest as destructive cyberattacks against state-linked entities, with wipers serving as a preferred tool for actors seeking maximum disruption with minimal reversibility.
Source: BleepingComputer