Kaspersky warns that a new wiper, Lotus Wiper, was used in targeted attacks against the energy and utilities sector in Venezuela. The campaign relied on two batch scripts to disable defenses, trigger network-based execution, and deploy a wiper that overwrites drives and removes recovery mechanisms, with no extortion demands suggesting sabotage. #LotusWiper #Venezuela
Keypoints
- The campaign targeted an energy and utilities organization in Venezuela.
- Attackers used two batch scripts that stop the UI0Detect service and rely on a NETLOGON-hosted XML file as a network trigger.
- The second script changes user passwords, disables cached logins and network interfaces, enumerates drives, and stages the wiper payload.
- Lotus Wiper deletes restore points, zeroes out physical drives, clears volume USN journals, and systematically deletes files to render systems unrecoverable.
- No ransom demands were observed; artifacts point to compilation in September 2025 and a mid-December public upload, indicating a targeted sabotage operation amid regional tensions.