CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lotus data wiper deployed against Venezuelan energy and utility infrastructure in late 2025

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented data-wiping malware named Lotus was deployed in late 2025 against energy and utilities organizations in Venezuela, including a cyberattack on state-owned oil company Petróleos de Venezuela (PDVSA) around mid-December 2025 that disabled delivery systems. The malware systematically erases recovery options and overwrites physical drives, leaving systems unrecoverable. Initial access and lateral movement are facilitated by two batch scripts that disable security services, enumerate accounts, disrupt network connectivity, and prepare the environment for the final payload. The wiper operates at the disk level using IOCTL calls, ensuring comprehensive destruction of data and system state.

Timeline

  1. 21.04.2026 21:38 1 articles · 2h ago

    Lotus wiper deployed against Venezuelan energy sector in December 2025

    A multi-stage attack involving the previously undocumented Lotus data-wiping malware was deployed against energy and utilities organizations in Venezuela beginning in mid-December 2025. The attack chain includes two batch scripts (OhSyncNow.bat and notesreg.bat) that prepare the environment by disabling security services, enumerating accounts, disrupting network connectivity, and overwriting logical volumes. The Lotus wiper then executes low-level disk operations via IOCTL calls to overwrite physical sectors, clear USN journals, and delete restore points, rendering systems unrecoverable.

    Show sources
    Open in new tab

Information Snippets

  • Lotus is a previously undocumented data-wiping malware specifically designed to render compromised systems unrecoverable by overwriting physical drives and eliminating recovery mechanisms.

    First reported: 21.04.2026 21:38
    1 source, 1 article
    Show sources

  • The attack chain begins with an initial batch script (OhSyncNow.bat) that disables the Windows ‘UI0Detect’ service and performs an XML file check to coordinate execution across domain-joined systems.

    First reported: 21.04.2026 21:38
    1 source, 1 article
    Show sources

  • A second-stage batch script (notesreg.bat) enumerates users, disables accounts via password changes, logs off active sessions, disables all network interfaces, deactivates cached logins, and prepares the environment for data destruction.

    First reported: 21.04.2026 21:38
    1 source, 1 article
    Show sources

  • The Lotus wiper overwrites physical sectors via IOCTL calls, clears USN journal entries, wipes restore points, and repeatedly cycles drive wiping and restore point deletion, ultimately updating disk properties to finalize the destruction.

    First reported: 21.04.2026 21:38
    1 source, 1 article
    Show sources

  • Kaspersky observed the Lotus malware uploaded to a public analysis platform in mid-December 2025 from a machine located in Venezuela.

    First reported: 21.04.2026 21:38
    1 source, 1 article
    Show sources

  • A cyberattack on Petróleos de Venezuela (PDVSA) around mid-December 2025 disabled its delivery systems, though public evidence does not confirm the use of Lotus or the exact nature of the attack.

    First reported: 21.04.2026 21:38
    1 source, 1 article
    Show sources