An analysis of software artifacts from a malicious cyberattack targeting the energy and utilities sector in Venezuela late last year revealed that the attack made significant use of living-off-the-land (LOTL) techniques, lacked a ransomware component, and assiduously identified and deleted critical data.
The software — found on “a publicly available resource” and uploaded in December 2025 — used two batch scripts to coordinate the attack throughout the target’s network, undermine system defenses, and hobble incident response. That was all a prelude to the final step: executing a previously unknown wiper program, dubbed Lotus Wiper, according to an analysis published by cybersecurity firm Kaspersky Lab last week. The samples were originally compiled in late September 2025, and the company has not found any additional samples as part of other attacks.
Lotus Wiper is effective at destroying system data and disrupting operations, the company stated.
“The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state,” the cybersecurity firm’s researchers stated in their analysis.
The Lotus Wiper attack is the latest destructive malware — with Venezuelan energy companies and utilities the latest targets — of data-wiping cyberattacks linked to real-world conflicts between nations. In 2012, Saudi Arabia’s state-owned oil-and-gas giant Saudi Aramco had 30,000 systems locked by the Shamoon data-wiping malware — an act attributed to Iran. The 2017 NotPetya attacks started in a Ukrainian provider of accounting software before spreading worldwide. Both Russia and Ukraine appear to have traded wiper-based cyberattacks following Russia’s original seizure of Crimea in 2014 and its ongoing invasion of Ukraine, which started in 2022.
Earlier this year, researchers attributed a wiper attack against Poland’s power grid in late December to the Russian Sandworm group. That’s two different wiper attacks against critical infrastructure in the same months, says Collin Hogue-Spears, senior director of solution management at Black Duck, an application-security firm.
“Different actors, different regions, same intent,” he says.
A US Cyberattack?
Kaspersky Lab did not attribute the Lotus Wiper attack to any actor nor identify the victim, and the company declined further comment on its research or the source of the attack.
However, the timing of the Lotus Wiper matches a cyberattack on Petróleos de Venezuela SA (PDVSA), the state-run oil-and-gas firm that suffered disruption in December following an alleged ransomware attack on Dec. 13. The company blamed the US for the attack and claimed that its operations were not affected, but independent reporting detailed that the loading of petroleum on to tankers had stalled.
“This act of aggression adds to the public strategy of the US government to seize Venezuelan oil by force and piracy,” the company stated in a Dec. 15 communique (translated via Anthropic’s Claude). “The working class of the hydrocarbon industry has faced attacks of this nature in the past. It was precisely their commitment, expertise, and loyalty that made it possible to detect and neutralize this new attack.”
The company’s domain, pdvsa.com, was part of the payload of the files, designating it as the targeted organization, adds Black Duck’s Hogue-Spears.
It’s unsurprising that wiper attacks have become a go-to cyber weapon for a variety of nation-state conflicts, because the destructive attacks are an easy way to turn initial access into physical consequences, says Jimmy Wylie, a distinguished malware analyst at Dragos, an industrial and OT cybersecurity firm.
“The Venezuelan attack is a continuation of a larger trend of threat groups relying on cheap but effective techniques,” he says. “Wiper malware simply gets [the] job done with minimal development time.”
On the other hand, the actors in the Lotus Wiper attack showed significant patience to map out their target’s infrastructure and networks, a problem for poorly funded security teams, such as those in critical infrastructure, says Jacob Krell, senior director of secure AI solutions at Suzu Labs, a cybersecurity services firm.
“Many critical energy and utilities organizations remain ill-prepared for the capabilities of a well-resourced nation-state actor,” he says. “Lotus Wiper operators dwelled in the environment for months, staging binaries and preparing the terrain before executing the destructive phase. That dwell time reveals the gap.”
Utility Security Starts With Segmentation
While every company is different, critical infrastructure and industrial firms need to secure remote access, ensure they have visibility into anomalies on the network, and be ready to respond quickly in the case of an incident, says Dragos’s Wylie.
“If the attacker is maliciously executing standard windows utilities to wipe systems, it’s already too late to think about detection,” he says. “So, you’ve got to stop them earlier in the attack chain.”
Critical infrastructure security needs to prioritize a few basic protections to prevent operational damage from cyberattacks. Segmenting the operational technology (OT) networks from enterprise IT systems prevents a breach from affecting industrial control systems (ICS) and OT networks, says Suzu Labs’ Krell. Finally, immutable backups stored beyond the reach of an attacker is critical, he says.
“The world has entered the age of digital warfare, and these operations demonstrate that cyber effects can deliver strategic impact without traditional military escalation,” he says. “This means cyber resilience planning must incorporate the geopolitical angle as a core risk factor. Organizations can no longer treat cyber threats as purely technical and they must assess exposure to nation-state playbooks.”
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
