Kaspersky researchers have identified a previously unknown destructive malware they have named Lotus Wiper, saying it was used against Venezuela’s energy and utilities sector in 2025 and 2026 in a campaign designed not for profit but to permanently disable systems and erase data beyond recovery.
Scripts Prepared the Environment for Destruction
The attack began with batch scripts that weakened systems, disabled defences and disrupted normal operations before the final wiper payload was executed. Researchers said two batch scripts initiated the destructive phase and prepared the environment by coordinating activity across the network, weakening system protections and retrieving, deobfuscating and launching the malware.
The attack chain started with a batch file called OhSyncNow.bat, which checked specific folders and network shares and used a hidden XML file as a trigger to determine whether to continue. If the conditions were met, a second script prepared the machine for destruction. In the next phase, the malware disabled user accounts, forced active logoffs, blocked cached logins and shut down network interfaces to isolate the machine.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Wiper Removed Recovery Paths and Overwrote Disks
The malware then searched all disk drives and executed destructive commands, including diskpart clean all, which overwrote entire volumes and permanently deleted data. It also spread across directories using file mirroring techniques, overwriting or removing content at scale and filling remaining disk space with large files to prevent recovery or forensic analysis.
Researchers said disguised system-like executables were used to hide as legitimate software components before launching the final Lotus Wiper payload. Once active with elevated privileges already present on the system, the wiper removed Windows restore points, cleared system logs and update journals, and began writing zeroes across every sector of physical disks, making recovery impossible.
Researchers Describe Highly Targeted Campaign
The wiper used FindFirstVolumeW and FindNextVolumeW to identify mounted volumes, then sent them to a separate thread that deleted system files and cleared the volume’s change journal. It then scanned all mounted volumes, deleted files, corrupted file records, overwrote file contents with zeroes, renamed files randomly and forced deletion. Locked files were scheduled for removal on reboot.
Kaspersky researchers said the malware repeated disk destruction multiple times and updated system disk properties to ensure the changes persisted. The report said no ransom demand appeared, indicating that the malware had a purely destructive purpose rather than a financial one. The campaign was described as highly targeted and intended to permanently disrupt critical infrastructure.
The organisations should audit permissions on domain shares and monitor NETLOGON for unauthorised changes because shared files can trigger coordinated attacks across systems. Security teams are advised to watch for token abuse, credential theft and privilege escalation, as well as unusual use of built-in tools such as fsutil, robocopy and diskpart.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
