A threat actor has used a new wiper malware in recent attacks against the energy and utilities sector, cybersecurity company Kaspersky warns.
The attack targeted an organization in Venezuela and relied on two batch scripts to weaken defenses and disrupt operations before retrieving the final payload, the Lotus Wiper.
Likely compiled in September 2025, the wiper and associated artifacts were uploaded in mid-December to a public platform.
“The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state,” Kaspersky explains.
The lack of payment instructions or an extortion method, and the malware’s upload during a period of increased malware activity targeting the energy and utility sector in Venezuela, suggest that Lotus Wiper is extremely targeted, the cybersecurity firm says.
The cybersecurity firm has not shared any information on attribution, but cited the “geopolitical tensions that occurred in the Caribbean region in late 2025 and early 2026”.
It’s worth noting that, according to some reports, the United States’s extraction of Venezuelan President Nicolas Maduro in early January 2026 involved cyberattacks to trigger power outages and disable air defense radars.
Lotus Wiper’s execution chain starts with a batch script that attempts to stop the legacy Windows service Interactive Services Detection (UI0Detect) to prevent visible warnings that a malicious activity occurs in the background.
The malicious script appears built to run on older Windows versions that still run UI0Detect, as the service was officially removed from the OS in Windows 10 version 1803.
Additionally, the script checks for a file on a NETLOGON share, coding the victim organization’s name in a variable to build the file path. If this file and a corresponding local file exist, it executes a second batch script. It exits if the remote file does not exist, but continues with the next stage even if the local file is missing.
“This logic functions as a network-based trigger, where the presence of the remote XML file acts as a control signal to initiate execution across systems in the domain. This approach is consistent with classic backdoor trigger mechanisms that rely on externally accessible resources to control malware behavior,” Kaspersky explains.
The second script checks for another file to determine if it has already run. If the file does not exist, it enumerates local user accounts, changes their passwords, disables cached logins, logs off active sessions, and disables network interfaces to prevent device access.
It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.
It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.
The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.
Related: ZionSiphon Malware Targets ICS in Water Facilities
Related: Anubis Ransomware Packs a Wiper to Permanently Delete Files
Related: ESET Distributor’s Systems Abused to Deliver Wiper Malware
Related: New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
