A previously undocumented data-wiping malware dubbed Lotus was used last year in targeted attacks against energy and utilities organizations in Venezuela.
The malware was uploaded to a publicly available platform in mid-December from a machine in Venezuela and has been analyzed by researchers at Kaspersky.
Before the cripling stage, the attacker relies on two batch scripts that prepare the system for the final payload by weakening defenses and obstructing normal operations.
According to the researchers, the Lotus data-wiping malware is designed to completely destroy compromised systems by overwriting physical drives and eliminating recovery options.
“The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state,” Kaspersky says in a report today.
Given the timing, the observed activity aligns with geopolitical tensions in the region, which culminated this year on January 3 with the capture of Venezuela’s then-president, Nicolás Maduro.
Around mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) suffered a cyberattack that disabled its delivery systems. The organization blamed the United States for the incident.
It should be noted that there is no public evidence indicating that PDVSA’s systems were wiped in the attack or details about the nature of the attack.
Preliminary activity
Kaspersky’s report notes that the attacks begin with the execution of a batch script (OhSyncNow.bat) that disables the Windows ‘UI0Detect’ service, and performs an XML file check to coordinate execution across domain-joined systems.
A second-stage script (notesreg.bat) is executed when certain conditions are met. It enumerates users, disables accounts via password changes, logs off active sessions, disables all network interfaces, and deactivates cached logins.
The malicious code then enumerates drives and runs ‘diskpart clean all’ to overwrite them with zeros. It also uses ‘robocopy’ to overwrite directory contents, Kaspersky found.
In the next phase, it calculates the free space and uses ‘fsutil’ to create a file that fills the disk, making it harder to restore the wiped data.
After preparing the environment for data destruction and performing some wiping actions itself, the batch script decrypts and executes the Lotus wiper as the final payload.
Lotus wiper deployment
The Lotus wiper operates at a lower level, interacting with disks via IOCTL calls, retrieving the disk geometry, clearing USN journal entries, wiping restore points, and overwriting physical sectors, not just logical volumes.
The malware performs multiple actions, summarized as follows:
- Enables all privileges in its token to gain administrative-level access.
- Deletes all Windows restore points using the Windows System Restore API.
- Wipes physical drives by retrieving disk geometry and overwriting all sectors with zeroes.
- Clears the USN journal to remove traces of file system activity.
- Deletes files by zeroing their contents, renaming them randomly, and removing them (or scheduling deletion on reboot if locked).
- Repeats cycles of drive wiping and restore point deletion multiple times.
- Updates disk properties using IOCTL_DISK_UPDATE_PROPERTIES after the final wipe.
Kaspersky suggests that system administrators should monitor for NETLOGON share changes, UI0Detect manipulation, mass account changes, and disabling of network interfaces, which are all precursor activities.
They say that unexpected usage of ‘diskpart,’ ‘robocopy,’ and ‘fsutil’ is also a red flag.
A general recommendation against wipers and ransomware is to maintain regular offline backups whose restorability is frequently validated.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
