A threat actor has used a new wiper malware in recent attacks against the energy and utilities sector, according to Kaspersky. The attack targeted an organisation in Venezuela and relied on two batch scripts to weaken defenses and disrupt operations before retrieving the final payload, Lotus Wiper. It was likely compiled in September 2025, with the wiper and associated artifacts uploaded in mid-December to a public platform.
The wiper overwrites the content of physical drives, deletes files across affected volumes, and leaves the system in an unrecoverable state, Kaspersky explains. The firm notes the lack of payment instructions or an extortion method, and cites geopolitical tensions in the Caribbean during late 2025 and early 2026 as context for the targeted activity.
It also highlights that the attack appears highly targeted and that Lotus Wiper’s execution chain includes stopping a legacy Windows service and using a remote XML file as a control signal to trigger execution across domain systems. According to Kaspersky, the attacker likely had prior access, as the binary was staged before the attack.