Full Report
Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. Dubbed Lotus Wiper, the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, per findings from Kaspersky. "Two batch scripts are responsible for initiating the
Analysis Summary
# Tool/Technique: Lotus Wiper
## Overview
Lotus Wiper is a previously undocumented, destructive data wiper discovered by Kaspersky. It was used in a targeted campaign against the Venezuelan energy and utilities sector between late 2025 and early 2026. The malware is designed for pure destruction rather than financial gain, as it lacks ransom demands or extortion instructions. It systematically renders systems inoperable by destroying recovery mechanisms and overwriting physical drive contents.
## Technical Details
- **Type:** Malware (Wiper)
- **Platform:** Windows (specifically including legacy support for versions prior to Windows 10 v1803)
- **Capabilities:** Disk wiping, file deletion, service disruption, and recovery impairment.
- **First Seen:** September 2025 (Compilation); December 2025 (In-the-wild activity).
## MITRE ATT&CK Mapping
- **[TA0040 - Impact]**
- [T1485 - Data Destruction]
- [T1561.001 - Disk Structure Wipe: Disk Content Wipe]
- [T1561.002 - Disk Structure Wipe: Disk Partition Wipe]
- [T1490 - Inhibit System Recovery]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0007 - Discovery]**
- [T1087.001 - Account Discovery: Local Account]
- [T1018 - Remote System Discovery]
## Functionality
### Core Capabilities
- **Disk Wiping:** Uses the `diskpart clean all` command to wipe identified logical drives.
- **Physical Overwriting:** Overwrites physical sectors of the drive with zeroes.
- **Data Erasure:** Recursively deletes files across all mounted volumes and uses `robocopy` to overwrite or mirror empty folders over existing data.
- **Recovery Inhibition:** Deletes system restore points and clears Update Sequence Number (USN) journals to prevent forensic recovery.
- **Storage Exhaustion:** Utilizes `fsutil` to create a massive file that fills all available free space, preventing the creation of new recovery logs.
### Advanced Features
- **Environment Awareness:** Checks for NETLOGON shares to determine if the target is part of an Active Directory domain.
- **Timed Execution:** Features a randomized delay (up to 20 minutes) if network shares are unreachable to evade basic sandboxing or timing-based detection.
- **Legacy Compatibility:** Targets the `UI0Detect` service, indicating a design intended to compromise older Windows environments often found in Industrial Control Systems (ICS) or critical infrastructure.
## Indicators of Compromise
- **File Names:**
- `lotus` (directory name)
- **File Paths:**
- `C:\lotus\`
- `%SystemDrive%\lotus\`
- **Behavioral Indicators:**
- Execution of `diskpart clean all`
- Abnormal use of `fsutil` to create large files.
- Usage of `robocopy` for mass file deletion.
- Stopping the `UI0Detect` service.
- Automated logout of active user sessions.
- Disabling of network interfaces via script.
## Associated Threat Actors
- **Unknown:** While the specific group has not been named, the activity aligns with tension involving Venezuela and suggests a highly motivated state-sponsored or politically motivated entity.
## Detection Methods
- **Signature-based:** Deploy YARA or AV signatures targeting the batch scripts responsible for the orchestration phase and the unique wiper binary compiled in Sept 2025.
- **Behavioral detection:** Monitor for unauthorized use of administrative tools (`diskpart`, `fsutil`, `vssadmin`) in rapid succession.
- **Registry & Service Monitoring:** Alert on the disabling of Windows Interactive Services Detection or changes to NETLOGON access patterns.
## Mitigation Strategies
- **Network Segmentation:** Isolate critical energy sector infrastructure to prevent the lateral movement necessary to reach the NETLOGON share.
- **Least Privilege:** Restrict the use of administrative utilities like `diskpart` and `fsutil` to authorized users/processes only.
- **Hardening:** Disable or monitor legacy services (like Session 0 interactive services) if not required for operations.
- **Offline Backups:** Maintain rigorous offline, immutable backups, as the wiper is specifically designed to destroy online recovery points and local shadows.
## Related Tools/Techniques
- **Shamoon / Disttrack:** Similar destructive intent targeting energy sectors.
- **AcidRain:** Another wiper targeting critical infrastructure components.
- **Native Binary Living-off-the-Land (LotL):** Use of `diskpart`, `robocopy`, and `fsutil`.