Lotus Wiper destroys Venezuelan energy and utility systems in apparent state-sponsored attack

Kaspersky has documented a previously undocumented data wiper, dubbed Lotus Wiper, used in destructive attacks on the Venezuelan energy and utilities sector at the end of 2025 and into 2026. The malware has no ransom note, no payment instructions, and no recovery mechanism - this is pure destruction, consistent with state-aligned or geopolitically-motivated sabotage rather than cybercrime. The attack begins with two batch scripts that prepare the environment: one checks for a NETLOGON share (the Active Directory login-scripts share) to confirm the machine is domain-joined, then fetches a remote XML file and runs a second script. The second script disables cached logins, logs off active sessions, kills network interfaces, runs 'diskpart clean all' to wipe all logical drives, uses robocopy to recursively overwrite or delete folders, and uses fsutil to fill remaining free space. Once the environment is prepped, the Lotus Wiper binary deletes restore points, zeros out physical sectors, clears NTFS journal USN records, and erases every file on every mounted volume. Kaspersky notes one script tries to stop the Windows UI0Detect service, a feature removed after Windows 10 version 1803 - meaning the attackers knew they would hit legacy Windows systems and had deep prior knowledge of the target environment, implying long-running domain compromise before the destructive payload fired. The sample was uploaded to a public malware-sharing platform from Venezuela in mid-December 2025, weeks before the U.S. military action in the country in early January 2026.

Check

Regardless of geography, hunt for the living-off-the-land pattern this wiper uses: 'diskpart clean all', fsutil filling free space, robocopy recursively mirroring empty directories, and attempts to stop UI0Detect on any Windows host.

Affected

Windows environments with long-running Active Directory compromise, particularly those still running pre-Windows 10 1803 builds where the UI0Detect service exists. Operational-technology organisations in energy, utilities, and critical infrastructure - especially in Venezuela but globally given the playbook is reusable.

Fix

Alert on any process chain matching: cmd.exe spawning 'diskpart.exe /s' with 'clean all', fsutil.exe creating zero-sized fill files, or robocopy.exe with /MIR into an empty source. Watch NETLOGON share for new or modified .xml and .bat files arriving on domain controllers. Enforce immutable offline backups - this wiper explicitly destroys restore points, shadow copies, and USN journals, so any backup reachable from the domain is at risk. Review privileged AD admin activity for the past 90 days. Monitor for unauthorized scripts pushed via GPO or scheduled tasks across the domain.