Back

Lotus Wiper Targets Venezuelan Energy Sector Amid Geopolitical Tensions

Severity: High (Score: 75.0)

Sources: Securelist, Bleepingcomputer, www.kaspersky.com

Summary

In late 2025 and early 2026, a new data-wiping malware known as 'Lotus Wiper' was used in targeted attacks against energy and utilities organizations in Venezuela. The malware was uploaded to a publicly available platform in mid-December 2025 and is associated with a destructive campaign that aims to erase all data on compromised systems. The attack begins with two batch scripts that disable system defenses and prepare the environment for the wiper payload. The Lotus Wiper overwrites physical drives and deletes files, leaving systems in an unrecoverable state. This incident aligns with heightened geopolitical tensions in the Caribbean, particularly following the capture of Venezuela's president in January 2026. Although the state-owned oil company PDVSA suffered a cyberattack around the same time, there is no public evidence that their systems were wiped. Kaspersky researchers recommend monitoring for specific precursors to the attack, such as changes to NETLOGON and unexpected usage of certain commands. The attack is characterized as highly targeted with no financial motivation. Key Points: • Lotus Wiper malware targets Venezuelan energy and utilities organizations. • The malware was uploaded in December 2025 and executes a destructive payload. • No financial motivation is identified; the attack aligns with geopolitical tensions.

Key Entities

  • Malware (attack_type)
  • United States (country)
  • Venezuela (country)
  • kaspersky.com (domain)
  • Energy (industry)
  • Utilities (industry)
  • HermeticWiper (malware)
  • Lotus (malware)
  • Lotus Wiper (malware)
  • NotPetya (malware)
  • 0b83ce69d16f5ecd00f4642deb3c5895 (md5)
  • b41d0cd22d5b3e3bdb795f81421a11cb (md5)
  • c6d0f67db6a7dbf1f9394d98c1e13670 (md5)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1087 - Account Discovery (mitre_attack)
  • T1485 - Data Destruction (mitre_attack)
  • T1490 - Inhibit System Recovery (mitre_attack)
  • T1543.003 - Windows Service (mitre_attack)
  • Active Directory (platform)
  • HCL Domino (platform)
  • Lotus Domino (platform)
  • Windows (platform)
  • Diskpart (tool)
  • Fsutil (tool)
  • Ndesign.exe (tool)
  • Nevent.exe (tool)
  • Notesreg.bat (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed