ZCyberNews
中文
MalwareCritical2 min readLotus Wiper

Lotus Wiper Strikes Venezuelan Energy Sector in Destructive Campaign

Kaspersky discovered Lotus Wiper, a novel file wiper targeting Venezuela's energy and utilities sector since late 2025.

Lotus Wiper Strikes Venezuelan Energy Sector in Destructive Campaign

Executive Summary

Security researchers at Kaspersky have identified a previously undocumented data wiper, dubbed Lotus Wiper, deployed in destructive attacks against Venezuela's energy and utilities sector. The campaign, active since late 2025 and continuing into early 2026, uses two batch scripts to systematically delete files on compromised systems, according to findings published by the Russian cybersecurity firm. No recovery mechanism or data exfiltration capability has been observed, indicating a pure destruction mission.

Technical Analysis

Kaspersky's analysis reveals that Lotus Wiper relies on two distinct batch scripts to execute its wiping routine. The first script enumerates drives and targets specific file extensions for deletion, while the second script overwrites remaining data with zeros before triggering a system shutdown. The malware does not appear to use any obfuscation or encryption, suggesting the operators prioritized speed of destruction over stealth. Kaspersky noted that the wiper is delivered via an initial access vector that remains unconfirmed, but the targeting of energy infrastructure aligns with geopolitical tensions in the region. The researchers stated that the attacks occurred "at the end of last year and the start of 2026," with no attribution to a specific nation-state or criminal group as of publication.

Mitigations & Recommendations

Defenders in the energy and utilities sector, particularly in Latin America, should monitor for unusual batch script executions or mass file deletion events. Kaspersky recommends implementing application whitelisting to block unauthorized script interpreters, enabling detailed logging of process creation and file deletion operations, and maintaining offline backups of critical systems. Network segmentation between IT and operational technology (OT) environments can limit the wiper's spread if an initial compromise occurs. Organizations should also review remote access logs for signs of lateral movement.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#lotus-wiper#venezuela#energy-sector#kaspersky#wiper-malware#critical-infrastructure

Related Articles

OceanLotus APT Uses PyPI Packages to Deliver ZiChatBot MalwareHIGH
Malware

OceanLotus APT Uses PyPI Packages to Deliver ZiChatBot Malware

Kaspersky attributes a PyPI supply chain campaign to OceanLotus APT, using fake wheel packages to drop ZiChatBot malware that abuses Zulip chat APIs for C2 on Windows and Linux.

4 min readOceanLotus
ZiChatBot Malware Spreads via PyPI Packages Using Zulip C2HIGH
Malware

ZiChatBot Malware Spreads via PyPI Packages Using Zulip C2

Three PyPI packages deliver ZiChatBot malware on Windows and Linux using Zulip chat APIs for stealthy C2 — Kaspersky identifies 12+ victim organizations globally.

4 min readZiChatBot
CrystalX RAT Combines Spyware, Stealer, and Prankware in MaaS OfferingHIGH
Malware

CrystalX RAT Combines Spyware, Stealer, and Prankware in MaaS Offering

Kaspersky details CrystalX RAT, a MaaS malware with spyware, credential theft, and prankware features targeting Windows users globally since mid-2025.

3 min readCrystalX