Highly destructive Lotus Wiper used in a targeted attack
A highly targeted destructive wiper campaign dubbed 'Lotus Wiper' was discovered targeting the energy and utilities sector in Venezuela during late 2025 and early 2026. The attack begins with batch scripts coordinating execution across networks using domain shares as trigger mechanisms. These scripts disable security services, lock out users, and prepare the environment for the final payload. The Lotus Wiper systematically destroys data by wiping physical drives with zeros, deleting restore points, clearing USN journals, and recursively deleting files. Unlike ransomware, this wiper has no financial motivation or ransom demands, designed purely for data destruction. Evidence suggests attackers maintained long-term domain access prior to the attack, with the wiper compiled months before deployment. The malware targets older Windows systems and uses legitimate system tools like diskpart, robocopy, and fsutil.
AI Analysis
Technical Summary
Lotus Wiper is a destructive malware campaign targeting the energy and utilities sector in Venezuela, discovered in late 2025 and early 2026. It employs batch scripts that use domain shares as triggers to coordinate execution across networks. These scripts disable security services and lock out users to prepare the environment for the wiper payload. The malware systematically destroys data by zeroing physical drives, deleting system restore points, clearing USN journals, and recursively deleting files. It targets older Windows operating systems and uses legitimate Windows system tools such as diskpart, robocopy, and fsutil to carry out destructive actions. The campaign shows evidence of long-term domain access prior to the attack, with the malware compiled months before deployment. There are no ransom demands or financial motivations, indicating a purely destructive intent. No patches or official remediation guidance are available, and no known exploits in the wild have been reported.
Potential Impact
The impact of Lotus Wiper is severe data destruction affecting targeted systems in the energy and utilities sector in Venezuela. The malware wipes physical drives, deletes restore points, and removes system logs, resulting in loss of data and system recovery capabilities. This can cause significant operational disruption in critical infrastructure environments. There is no financial extortion component, so the impact is purely destructive. The targeting of older Windows systems and use of legitimate system tools complicates detection and response.
Mitigation Recommendations
No official patches or remediation guidance are currently available for Lotus Wiper. Since the malware targets older Windows systems and uses legitimate system tools, organizations should focus on proactive defense measures such as restricting use of administrative tools, monitoring for unusual batch script execution, and limiting domain share access. Incident response should prioritize containment and recovery planning given the destructive nature of the malware. Patch status is not yet confirmed — check vendor advisories and trusted threat intelligence sources for updates.
Indicators of Compromise
- hash: 0b83ce69d16f5ecd00f4642deb3c5895
- hash: b41d0cd22d5b3e3bdb795f81421a11cb
- hash: c6d0f67db6a7dbf1f9394d98c1e13670
Highly destructive Lotus Wiper used in a targeted attack
Description
A highly targeted destructive wiper campaign dubbed 'Lotus Wiper' was discovered targeting the energy and utilities sector in Venezuela during late 2025 and early 2026. The attack begins with batch scripts coordinating execution across networks using domain shares as trigger mechanisms. These scripts disable security services, lock out users, and prepare the environment for the final payload. The Lotus Wiper systematically destroys data by wiping physical drives with zeros, deleting restore points, clearing USN journals, and recursively deleting files. Unlike ransomware, this wiper has no financial motivation or ransom demands, designed purely for data destruction. Evidence suggests attackers maintained long-term domain access prior to the attack, with the wiper compiled months before deployment. The malware targets older Windows systems and uses legitimate system tools like diskpart, robocopy, and fsutil.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Lotus Wiper is a destructive malware campaign targeting the energy and utilities sector in Venezuela, discovered in late 2025 and early 2026. It employs batch scripts that use domain shares as triggers to coordinate execution across networks. These scripts disable security services and lock out users to prepare the environment for the wiper payload. The malware systematically destroys data by zeroing physical drives, deleting system restore points, clearing USN journals, and recursively deleting files. It targets older Windows operating systems and uses legitimate Windows system tools such as diskpart, robocopy, and fsutil to carry out destructive actions. The campaign shows evidence of long-term domain access prior to the attack, with the malware compiled months before deployment. There are no ransom demands or financial motivations, indicating a purely destructive intent. No patches or official remediation guidance are available, and no known exploits in the wild have been reported.
Potential Impact
The impact of Lotus Wiper is severe data destruction affecting targeted systems in the energy and utilities sector in Venezuela. The malware wipes physical drives, deletes restore points, and removes system logs, resulting in loss of data and system recovery capabilities. This can cause significant operational disruption in critical infrastructure environments. There is no financial extortion component, so the impact is purely destructive. The targeting of older Windows systems and use of legitimate system tools complicates detection and response.
Mitigation Recommendations
No official patches or remediation guidance are currently available for Lotus Wiper. Since the malware targets older Windows systems and uses legitimate system tools, organizations should focus on proactive defense measures such as restricting use of administrative tools, monitoring for unusual batch script execution, and limiting domain share access. Incident response should prioritize containment and recovery planning given the destructive nature of the malware. Patch status is not yet confirmed — check vendor advisories and trusted threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/tr/lotus-wiper/119472/"]
- Adversary
- null
- Pulse Id
- 69e76908461fbf60038d0105
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0b83ce69d16f5ecd00f4642deb3c5895 | — | |
hashb41d0cd22d5b3e3bdb795f81421a11cb | — | |
hashc6d0f67db6a7dbf1f9394d98c1e13670 | — |
Threat ID: 69e794b519fe3cd2cdde14d4
Added to database: 4/21/2026, 3:16:05 PM
Last enriched: 4/21/2026, 3:31:13 PM
Last updated: 6/5/2026, 3:04:57 PM
Views: 235
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.