VENEZUELA’S energy sector faced a highly destructive attack using Lotus Wiper, with Kaspersky researchers finding the strain targeting the country’s energy and utilities landscape in 2025–2026. The operation began by employing batch scripts to weaken systems, disable protections, and prepare the environment before deploying the final wiper, which overwrote disks and deleted files to render affected systems unusable.
The attack chain centres on a batch file named OhSyncNow[.]bat, which checks folders and network shares and triggers a hidden XML file to decide whether to proceed, followed by a second script that prepares the system for destruction. Lotus Wiper then disables user accounts, forces logoffs, blocks cached logins, shuts down network interfaces, and uses diskpart clean all to overwrite volumes, while mirroring across directories and filling free space with large files to hamper recovery.
The wiper finally decrypts a hidden payload and, with elevated privileges, erases data across drives, clears system logs and update journals, and removes Windows restore points to impede recovery. According to Kaspersky, the campaign appears targeted and designed to permanently disrupt critical infrastructure rather than to seek ransom.