In late 2025 and early 2026, amid rising geopolitical tensions in the Caribbean region, cybersecurity researchers uncovered a highly targeted and destructive malware campaign aimed at Venezuela’s energy and utilities sector. What makes this campaign particularly notable is not just its sophistication, but its intent: pure destruction. Unlike financially motivated cyberattacks, this operation deployed a previously unknown wiper malware—dubbed Lotus Wiper—designed to irreversibly erase data and cripple systems.
Understanding the Nature of the Threat
At first glance, the attack might resemble ransomware due to its large-scale system impact. However, deeper analysis revealed no ransom notes, payment instructions, or monetization strategies. Instead, the malware was engineered solely to destroy. This distinction is critical—while ransomware allows for potential recovery through decryption (however unlikely), a wiper ensures complete and permanent data loss.
The artifacts associated with the attack were publicly uploaded in mid-December 2025, providing researchers with a rare opportunity to reconstruct the entire attack chain—from initial execution to final payload delivery.
Stage 1: Initial Execution via Batch Scripts
The attack begins with a batch script named OhSyncNow.bat, which acts as the orchestrator. Its responsibilities include:
- Identifying or creating a working directory (e.g.,
C:\lotus) - Disabling system services like UI0Detect to suppress alerts
- Checking for a network-based trigger file (
OHSync.xml) via the NETLOGON share
This trigger mechanism is particularly clever. By placing a specific XML file on a domain controller, attackers can synchronize execution across multiple machines—essentially turning the network itself into a command-and-control system.
If the trigger conditions are met, a second script—notesreg.bat—is executed.
Stage 2: System Disruption and Preparation
The second batch script escalates the attack by weakening system defenses and disrupting operations:
- User Account Manipulation: Local user accounts are disabled and passwords randomized
- Access Restrictions: Cached logins are disabled via registry edits
- Session Termination: Active user sessions are forcibly logged off
- Network Isolation: All network interfaces are disabled using
netsh
These actions effectively lock out administrators and isolate the system, preventing intervention.
Stage 3: Destructive Operations
Once the system is isolated, the script initiates destructive actions:
- Disk Wiping: Uses
diskpart clean allto overwrite entire volumes with zeros - Data Overwrite: Employs
robocopyto mirror and delete directory contents - Disk Exhaustion: Creates massive files using
fsutilto consume all available space
Finally, it executes a disguised binary (nstats.exe) that decrypts and launches the actual wiper payload—Lotus Wiper.
Final Stage: Lotus Wiper Execution
Lotus Wiper is the core destructive component. Its capabilities include:
- Privilege Escalation: Enables all available privileges for full system access
- Restore Point Deletion: Removes all system restore points using Windows APIs
- Physical Disk Overwrite: Writes zeros across all sectors of physical drives
- File System Destruction: Deletes files, clears USN journals, and renames files to obscure recovery
The malware performs multiple passes of wiping—before, during, and after file deletion—ensuring no trace of data remains.
Detection and Mitigation Strategies
Given the severity of this threat, organizations must adopt proactive defense measures:
- Monitor Domain Shares: հատկապես NETLOGON for unauthorized file changes
- Audit Privileges: Track escalation attempts and token misuse
- Detect Living-off-the-Land Tools: Watch for abnormal use of utilities like
diskpart,robocopy, andfsutil - Backup Readiness: Ensure backups are isolated, tested, and quickly restorable
Conclusion
Lotus Wiper represents a new class of cyber threats—precision-targeted, non-financial, and devastatingly effective. Its design suggests prior access, deep knowledge of the target environment, and months of preparation. The use of legacy system features also indicates intentional targeting of older infrastructure.
This campaign underscores a critical shift in cyber warfare: from profit-driven attacks to strategic destruction.
Our Perspective on the Lotus Wiper Campaign
The emergence of Lotus Wiper signals a troubling evolution in cyber threat landscapes—where intent is no longer driven by profit, but by disruption and geopolitical strategy. This campaign appears less like a typical cybercrime operation and more like a coordinated act of cyber sabotage. The level of planning, the use of domain-based triggers, and the targeting of critical infrastructure all point toward a highly skilled and possibly state-aligned threat actor.
What stands out most is the deliberate focus on legacy systems. By exploiting outdated Windows features like UI0Detect, the attackers demonstrated not only technical precision but also intelligence about the victim’s infrastructure. This raises serious concerns about how many organizations still rely on outdated systems in critical sectors.
From a defensive standpoint, this case reinforces the importance of visibility and control within internal networks. Traditional perimeter defenses are no longer sufficient. Organizations must assume breach and focus on lateral movement detection, privilege monitoring, and rapid containment.
Moreover, the use of legitimate system tools for destructive purposes—commonly known as “living off the land”—makes detection even more challenging. This calls for behavioral analytics and anomaly detection rather than signature-based approaches.
In our view, Lotus Wiper is not just a malware sample—it’s a warning. A warning that cyber warfare is becoming more covert, more targeted, and more destructive. Organizations, especially those in critical infrastructure, must elevate their cybersecurity posture accordingly or risk facing irreversible consequences.
