New Lotus data wiper used against Venezuelan energy utility firms
lotus data wipervenezuelakasperskypetróleos de venezuelapdvsacyberattackcybersecurityenergy utilitycritical infrastructuresystem destructionmalwaregeopolitical tensions

New Lotus data wiper used against Venezuelan energy utility firms

By Daniel MarshApril 22, 2026

Kaspersky researchers recently detailed a new Lotus data wiper, which they've named Lotus, used in targeted attacks against energy and utility organizations in Venezuela. This isn't some theoretical threat; it was uploaded to a public platform from Venezuela in mid-December 2025, right when geopolitical tensions in the region were peaking. We saw those tensions culminate with the capture of Venezuela’s then-president on January 3, 2026. Around the same time, in mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) did suffer a cyberattack that disabled delivery systems. However, it's important to be precise: there's no public evidence directly linking the Lotus data wiper to that specific PDVSA incident or confirming their systems were wiped by it. What we *do* know is that the Lotus data wiper is designed for one thing: complete system destruction. For a full technical breakdown, see the Kaspersky report on Lotus wiper.

What Happened: A Destructive Strike

Kaspersky researchers recently detailed a new data wiper, which they've named Lotus, used in targeted attacks against energy and utility organizations in Venezuela. This isn't some theoretical threat; it was uploaded to a public platform from Venezuela in mid-December 2025, right when geopolitical tensions in the region were peaking. We saw those tensions culminate with the capture of Venezuela’s then-president on January 3, 2026. Around the same time, in mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) did suffer a cyberattack that disabled delivery systems. However, it's important to be precise: there's no public evidence directly linking the Lotus wiper to that specific PDVSA incident or confirming their systems were wiped by it. What we *do* know is that Lotus is designed for one thing: complete system destruction.

The Mechanism: How the Lotus Data Wiper Operates

When we talk about data wipers, the focus often jumps straight to the final, destructive payload. But with Lotus, the preparatory orchestration is just as important, if not more so. This isn't a single-stage smash-and-grab; it's a methodical, multi-step process designed to ensure maximum damage and hinder recovery.

Here's how the attack chain unfolds:

First, the attackers use batch scripts to set the stage.

  • OhSyncNow.bat: This script starts by disabling the Windows ‘UI0Detect’ service. That service is usually there to help users interact with processes running in Session 0, which is a non-interactive session. Disabling it helps the wiper run without triggering user prompts. It also checks for an XML file, suggesting a coordinated execution across domain-joined systems. This isn't about a single machine; it's about enterprise-wide impact.

  • notesreg.bat: This one is particularly nasty. It enumerates users, then disables accounts by changing passwords. It logs off active sessions, disables all network interfaces, and deactivates cached logins. Think about that for a second: you're not just wiping data; you're cutting off access, preventing remote intervention, and locking out legitimate users *before* the main destruction even starts. (I've seen PRs this week that don't even compile because the bot hallucinated a library).

A stylized depiction of a multi-stage cyberattack, showing initial reconnaissance tools leading to a network diagram, then to a server being wiped with digital data fragments flying off, all in a dark, analytical blue and red color scheme. The Lotus data wiper attack chain.
Stylized depiction of a multi-stage cyberattack, showing initial

After these initial scripts weaken the system and isolate it, more batch script actions kick in for initial wiping:

  • It enumerates drives.
  • It executes diskpart clean all, which overwrites drives with zeros. This is a common, effective way to destroy data at a logical volume level.
  • It uses robocopy to overwrite directory contents, further ensuring data destruction.
  • It calculates free space and then uses fsutil to create a file that fills the entire disk. About deleting is about making sure any remnants are buried under new, meaningless data, making restoration even harder.

Only *then* does the Lotus data wiper's final payload get decrypted and executed. This is where the low-level, deeply destructive work happens:

  • It enables all privileges in its token, giving it full administrative control.
  • It deletes all Windows restore points using the System Restore API. No easy rollbacks.
  • It retrieves disk geometry and then directly overwrites physical sectors with zeroes using IOCTL calls. This is a critical distinction from diskpart clean all, which operates on logical volumes. Overwriting physical sectors means the data is gone, period.
  • It clears the USN journal, removing traces of file system activity that could help forensic analysis.
  • It deletes files by zeroing their contents, renaming them randomly, and then removing them (or scheduling deletion on reboot if they're locked).
  • It repeats cycles of drive wiping and restore point deletion multiple times, just to be sure.
  • Finally, it updates disk properties using IOCTL_DISK_UPDATE_PROPERTIES after the last wipe, cementing the destruction.

A simple script is a carefully orchestrated sequence designed for total, unrecoverable system destruction. The pre-wiper stages are fundamental to the attack's success, making incident response and recovery exponentially more difficult.

The Impact of the Lotus Data Wiper: More Than Just Data Loss

The practical impact of the Lotus data wiper is clear: any system hit by this wiper is gone. Unrecoverable. This is an availability incident of the highest order, designed to cause maximum disruption to critical infrastructure.

The social discussions around this incident are interesting. There's a sentiment that given Venezuela's existing infrastructure challenges and corruption, a sophisticated cyberattack might not even be necessary. Why not just bribe someone? This perspective, while understandable, misses the strategic intent. A bribe might cause localized disruption, but a wiper like Lotus delivers a systemic, unrecoverable blow. It's about sending a message, causing widespread chaos, and demonstrating capability in a way that bribery simply can't. It also avoids the human element of bribery, which can be traced. This is a digital scorched-earth policy.

The confusion between the Lotus data wiper and the LOTUSLITE backdoor, attributed to Mustang Panda and used in espionage campaigns with Venezuela-themed lures, also highlights a broader problem. Misinformation, especially in a politically charged environment, can obscure the true nature of threats. The wiper is about destruction; the backdoor is about long-term access and intelligence gathering. They are fundamentally different objectives, even if they share a name.

A close-up of a damaged hard drive, with visible scorch marks and a fragmented data platter, emphasizing irreversible data loss from a Lotus data wiper.
Close-up of a damaged hard drive, with visible

This attack, whether amplified by existing systemic weaknesses or not, represents a significant escalation. It shows a willingness to deploy highly destructive tools against critical infrastructure, moving beyond espionage or financial gain to pure disruption.

The Response: Prioritizing Resilience

Defending against a Lotus data wiper means shifting focus. It's not just about preventing initial access; it's about building resilience for when that access inevitably happens.

First, organizations need to prioritize solid, immutable backups. And I mean *immutable*. If your backups can be wiped, they're not backups. These need to be air-gapped or logically separated, tested regularly, and stored off-site.

Second, the precursor activities are key. Monitoring for unexpected usage of diskpart, robocopy, fsutil, changes to NETLOGON shares, UI0Detect manipulation, mass account changes, or network interface disabling—these are all red flags. Your endpoint detection and response (EDR) and security information and event management (SIEM) systems need to be tuned to catch these behaviors, not just the final payload. This is where a good SOC earns its keep, catching the early stages before the irreversible damage.

Third, network segmentation is non-negotiable. Limiting lateral movement means that even if one part of your network is compromised, the blast radius is contained. This is particularly important for critical infrastructure.

Finally, we need to be clear about attribution and intent. While geopolitical tensions provide context, definitive attribution of specific attacks to specific state actors without publicly available, verifiable technical evidence can be misleading. The focus for defenders should remain on the *mechanisms* of the attack and building defenses against them, regardless of who is pulling the strings.

The Lotus data wiper is a stark reminder that destructive attacks are a real and present danger. We can't afford to get caught up in the noise or dismiss the threat because of perceived national vulnerabilities. The technical details show a deliberate, sophisticated effort to cause maximum damage, and our defenses need to reflect that reality.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.