Lotus Wiper malware campaign disrupts Venezuelan energy and utilities sector with destructive file wiping

First reported

22.04.2026 13:55

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented file wiper malware named Lotus Wiper has been deployed in a destructive campaign targeting the energy and utilities sector in Venezuela, with activity spanning late 2025 and early 2026. The wiper systematically destroys system recovery mechanisms, overwrites physical drive contents, and deletes files across mounted volumes, rendering affected systems inoperable. No ransom or extortion demands were observed, indicating a non-financial motive. The attack chain involves multi-stage batch scripts that disable defenses, enumerate domain users, disable cached logins, disable network interfaces, and prepare the environment for wiper execution using native Windows utilities such as diskpart, robocopy, and fsutil.

Timeline

22.04.2026 13:55 1 articles · 2h ago

Lotus Wiper malware campaign impacts Venezuelan energy and utilities sector
A destructive file wiper malware, Lotus Wiper, was deployed against the energy and utilities sector in Venezuela between December 2025 and early 2026. The campaign utilized multi-stage batch scripts to disable system recovery mechanisms, enumerate domain users, disable cached logins, and deactivate network interfaces before executing diskpart clean all and fsutil to wipe logical drives and exhaust storage capacity. The wiper overwrites physical sectors with zeroes, clears USN journals, deletes restore points, and removes all system files, leaving systems inoperable without recovery options.
Show sources

Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
Open in new tab

Information Snippets

Lotus Wiper is a previously undocumented data wiper malware used in a destructive campaign targeting Venezuela’s energy and utilities sector.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
The wiper erases recovery mechanisms, overwrites physical drive contents, and systematically deletes files on all mounted volumes, rendering systems inoperable.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
No extortion or financial demands were observed in the wiper payload, indicating a non-financial motive for the attack.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
The wiper sample was compiled in late September 2025 and uploaded to a public platform in mid-December 2025 from a machine located in Venezuela.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
The attack chain begins with batch scripts that disable the Windows Interactive Services Detection (UI0Detect) service, check for NETLOGON shares, and download a remote XML file to determine Active Directory domain membership.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
If the NETLOGON share is unreachable, the script introduces a randomized delay of up to 20 minutes before retrying, suggesting operational caution in execution.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
The second batch script enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and executes diskpart clean all to wipe logical drives.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
The wiper overwrites physical sectors with zeroes, clears USN journals, deletes system restore points, and exhausts storage capacity using fsutil to impair recovery.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55
The wiper payload targets older versions of Windows (pre-Windows 10 version 1803), indicating prior knowledge of the compromised environment.
First reported: 22.04.2026 13:55

1 source, 1 article
Show sources
- Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack — thehackernews.com — 22.04.2026 13:55

Summary

Timeline

Lotus Wiper malware campaign impacts Venezuelan energy and utilities sector

Information Snippets