Lotus Data Wiper Strikes Venezuelan Energy and Utility Companies

A new strain of data-wiping malware called Lotus was recently discovered in targeted attacks against energy and utilities organizations in Venezuela. This previously undocumented malware was uploaded to a public platform in mid-December and has since been analyzed by researchers at Kaspersky.

The attackers behind Lotus rely on two batch scripts to prepare the system for the final payload, weakening defenses and obstructing normal operations before ultimately crippling the system.

According to Kaspersky, Lotus is designed to completely destroy compromised systems by overwriting physical drives and eliminating recovery options. The malware removes recovery mechanisms, overwrites drive content, and systematically deletes files across affected volumes, rendering the system unrecoverable.

The timing of these attacks aligns with geopolitical tensions in the region, which escalated with the capture of Venezuela’s then-president, Nicolás Maduro, on January 3. In mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) experienced a cyberattack that disabled its delivery systems, with the organization blaming the United States for the incident.

It’s important to note that there is no public evidence confirming whether PDVSA’s systems were wiped in the attack or providing details about the nature of the attack.

Kaspersky’s report details the preliminary activity of the attacks, beginning with the execution of a batch script that disables the Windows ‘UI0Detect’ service and performs an XML file check to coordinate execution across domain-joined systems. A second-stage script is then executed, which disables accounts, logs off active sessions, and wipes physical drives, among other actions.

The Lotus wiper operates at a lower level, interacting with disks via IOCTL calls to overwrite physical sectors and clear USN journal entries. It performs multiple actions to ensure data destruction, including enabling privileges for administrative access, deleting Windows restore points, and wiping physical drives.

Kaspersky recommends that system administrators monitor for specific precursor activities, such as changes to NETLOGON shares, mass account changes, and disabling of network interfaces. They also advise against unexpected usage of certain commands like ‘diskpart’ and ‘robocopy.’

In conclusion, maintaining regular offline backups with validated restorability is crucial to protect against wipers and ransomware attacks. By staying vigilant and implementing best practices, organizations can mitigate the risk of data loss and system compromise.