CYBERSECURITY researchers have identified Lotus Wiper, a previously undocumented data wiper used in destructive attacks against Venezuela’s energy and utilities sector at the end of last year and into 2026, according to Kaspersky. The campaign relies on two batch scripts that initiate the destructive phase, prepare the environment, disable defenses, and then retrieve, deobfuscate, and execute the wiper payload, which erases recovery mechanisms, overwrites drives, and deletes files across volumes.
The wiper campaign contains no extortion or payment instructions, suggesting the activity is not financially motivated, and the sample was uploaded to a public platform in mid-December 2025 from a machine in Venezuela, weeks before the United States’ early January 2026 military action in Venezuela.
The attack chain begins with a batch script that drops the wiper and disables UI0Detect on older Windows versions, checks for a NETLOGON share, and proceeds to a second batch script that enumerates local accounts, disables cached logons, and wipes identified drives using diskpart and related tools. According to Kaspersky, the attackers likely had domain access and environment knowledge long before the attack, with the wiper designed to impact specific targets rather than broad distribution.
According to Kaspersky, the wiper also leaves systems in an inoperable state by deleting restore points and erasing system files on mounted volumes.