AN analysis of software artefacts from a malicious cyberattack targeting Venezuela’s energy and utilities sector late last year found that the Lotus Wiper operation made significant use of living-off-the-land techniques, had no ransomware component, and aggressively identified and deleted critical data.
The software, found on a publicly available resource and uploaded in December 2025, used two batch scripts to coordinate the attack across the target network, undermine system defences, and hinder incident response before executing a previously unknown wiper program, dubbed Lotus Wiper, according to Kaspersky Lab. The samples were originally compiled in late September 2025, and the researchers have not found additional samples as part of other attacks.
Lotus Wiper is described as effective at destroying system data and disrupting operations, with the wiper removing recovery mechanisms and overwriting drive content across affected volumes. The timing of the Lotus Wiper attack aligns with a December cyberattack on Petróleos de Venezuela SA (PDVSA), which the company blamed on the US but where independent reporting suggested disruptions to tanker loading.