Kaspersky researchers uncover Lotus, a destructive data-wiping malware used in targeted attacks against Venezuelan energy and utility organizations, employing sophisticated multi-stage techniques to render systems unrecoverable.
A previously undocumented data-wiping malware dubbed Lotus has been discovered targeting energy and utilities organizations in Venezuela, marking a significant escalation in cyber operations against critical infrastructure in the region.
The malware was first uploaded to a publicly available platform in mid-December 2025 from a machine in Venezuela and has been analyzed by researchers at Kaspersky. The discovery comes amid heightened geopolitical tensions in the region, particularly following the capture of Venezuela's then-president, Nicolás Maduro, on January 3, 2026.
Multi-Stage Attack Architecture
The Lotus attacks employ a sophisticated multi-stage approach designed to systematically compromise and destroy targeted systems. According to Kaspersky's analysis, the attack begins with two batch scripts that prepare the environment before the final destructive payload is deployed.
The initial script, OhSyncNow.bat, disables the Windows 'UI0Detect' service and performs XML file checks to coordinate execution across domain-joined systems. This is followed by a second-stage script, notesreg.bat, which executes when specific conditions are met.
This second script performs several critical preparatory actions:
- Enumerates all user accounts on the system
- Disables accounts by changing passwords
- Logs off all active user sessions
- Disables all network interfaces
- Deactivates cached login credentials
Destructive Payload Deployment
After the system has been prepared and defenses weakened, the attacker deploys the Lotus wiper as the final payload. The malware operates at a lower system level, interacting directly with disk hardware through IOCTL calls.
Kaspersky's report details the wiper's comprehensive destruction methodology:
"The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state."
Technical Execution Details
The Lotus wiper performs multiple destructive actions in sequence:
- Privilege Escalation: Enables all privileges in its token to gain administrative-level access
- Restore Point Deletion: Removes all Windows restore points using the Windows System Restore API
- Physical Drive Wiping: Retrieves disk geometry and overwrites all sectors with zeroes
- USN Journal Clearing: Removes traces of file system activity by clearing the USN journal
- File Deletion: Zeroes file contents, renames them randomly, and removes them (or schedules deletion on reboot if locked)
- Multiple Wipe Cycles: Repeats cycles of drive wiping and restore point deletion
- Disk Property Updates: Uses IOCTL_DISK_UPDATE_PROPERTIES after final wipe
Connection to Regional Tensions
The timing of these attacks aligns with significant geopolitical developments in Venezuela. Around mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) suffered a cyberattack that disabled its delivery systems. The organization publicly blamed the United States for the incident.
While there is no public evidence confirming that PDVSA's systems were wiped in that specific attack, the emergence of Lotus during this period suggests a broader pattern of cyber operations targeting Venezuelan critical infrastructure.
Detection and Prevention Strategies
Kaspersky recommends that system administrators monitor for several key indicators of Lotus-style attacks:
Precursor Activities:
- NETLOGON share changes
- UI0Detect service manipulation
- Mass account changes and password resets
- Network interface disabling
- Cached login deactivation
Suspicious Command Usage:
- Unexpected usage of 'diskpart' with clean all operations
- Unusual 'robocopy' operations for file overwriting
- 'fsutil' usage for disk space manipulation
General Recommendations:
- Maintain regular offline backups with frequent restorability validation
- Implement network segmentation for critical infrastructure
- Deploy endpoint detection and response (EDR) solutions
- Monitor for anomalous administrative privilege usage
The Lotus wiper represents a concerning evolution in data destruction malware, combining sophisticated preparation phases with comprehensive physical drive wiping techniques. Its deployment against Venezuelan energy and utility organizations highlights the increasing intersection of cyber operations and geopolitical conflicts, particularly targeting critical national infrastructure.
The discovery underscores the importance of robust cybersecurity measures for organizations in politically sensitive regions, where the risk of destructive attacks targeting essential services continues to grow.
Comments
Please log in or register to join the discussion