Previously Unknown Wiper Malware Targets Venezuelan Energy Infrastructure
A newly discovered destructive malware has been deployed against Venezuela's energy and utilities sector in a campaign that researchers believe was designed expressly to destroy systems rather than to extract data or generate financial gain. The findings were published this week by Russian cybersecurity firm Kaspersky, which detailed a previously unknown wiper tool it has named Lotus Wiper.
According to Kaspersky's report, Lotus Wiper erases data across physical drives and deletes files throughout a system's entire storage hierarchy. Once the malware has run, affected machines are rendered impossible to restore, making recovery from backups or conventional forensic techniques unfeasible.
"We believe that this wiper is extremely targeted, has no financial motivation, and aims to erase all of a device's files and data," the Kaspersky researchers stated.
Attackers Deliberately Focused on Legacy Windows Systems
A notable technical characteristic of the campaign is the attackers' deliberate targeting of machines running older versions of the Windows operating system. Kaspersky researchers interpret this as strong evidence that the threat actors possessed detailed, pre-existing knowledge of the victim networks. This level of familiarity typically indicates that the adversaries had already gained access to — and spent time mapping — the targeted environments well before launching the destructive phase of the operation.
Technical analysis of the malware further supports the theory of a lengthy preparation period. Lotus Wiper was compiled in late September 2025, while a malware sample linked to the same campaign was uploaded to a public malware repository in mid-December from a computer located in Venezuela. The gap between compilation and the appearance of the sample suggests the attackers spent months positioning themselves inside the targeted networks before executing the destructive payload.
Geopolitical Context and the PDVSA Cyberattack
Kaspersky's researchers declined to identify the specific organizations affected by the campaign. However, they noted that the malicious activity occurred during a period of sharply elevated geopolitical tension in the Caribbean region in late 2025 and early 2026.
That backdrop is significant. In December 2024, Venezuela's state-run oil company, Petróleos de Venezuela (PDVSA), publicly reported that a cyberattack had disrupted its administrative systems. Local media reported at the time that the incident temporarily halted oil cargo deliveries, underscoring the real-world operational impact of the intrusion.
PDVSA formally blamed the United States for the attack, framing the accusation within the context of Washington's increased military presence around Venezuela and its sustained campaign to pressure President Nicolás Maduro from power. Maduro was subsequently removed from the country by U.S. forces in January.
No Confirmed Link Between Lotus Wiper and PDVSA Incident
Despite the timing and the geographic focus of the Lotus Wiper campaign, several important caveats must be noted:
- Independent cybersecurity experts have not found evidence linking the PDVSA attack to the U.S. government.
- There is currently no proof that Lotus Wiper was the malware used in the PDVSA incident specifically.
- The identity of the threat actor responsible for deploying Lotus Wiper remains unknown.
Kaspersky's analysis stops short of attributing the campaign to any known nation-state group or cybercriminal collective, leaving the question of responsibility open pending further investigation.
Significance of Wiper Attacks Against Critical Infrastructure
Wiper malware represents one of the most disruptive categories of cyberweapon precisely because its goal is destruction rather than espionage or extortion. Unlike ransomware, which encrypts data and demands payment for decryption keys, a wiper simply obliterates the targeted data permanently. This makes recovery exponentially more difficult and costly, requiring complete system rebuilds from scratch.
The deployment of Lotus Wiper against energy and utilities targets in Venezuela fits a broader pattern of destructive cyberattacks against critical infrastructure that has emerged over the past several years, particularly in regions experiencing geopolitical conflict or instability. The energy sector is a high-value target because disruptions there cascade rapidly into broader economic and societal consequences — as the temporary disruption to PDVSA's oil cargo operations illustrated.
Kaspersky's researchers continue to analyze the campaign, and further details about attribution, affected organizations, and the full scope of the damage are expected to emerge as the investigation progresses.
Source: The Record