Highly destructive Lotus Wiper used in a targeted attack
Lotus Wiper is a highly targeted destructive malware campaign discovered targeting the energy and utilities sector in Venezuela during late 2025 and early 2026. The attack uses batch scripts to coordinate execution across networks, disable security services, lock out users, and prepare systems for data destruction. The malware wipes physical drives by overwriting with zeros, deletes restore points, clears USN journals, and recursively deletes files. It targets older Windows systems and leverages legitimate system tools such as diskpart, robocopy, and fsutil. Unlike ransomware, Lotus Wiper has no financial motive and is designed solely for data destruction. Evidence indicates attackers had long-term domain access before deployment, with the malware compiled months in advance. No known exploits in the wild or patches are documented.
AI Analysis
Technical Summary
Lotus Wiper is a destructive malware campaign targeting the energy and utilities sector in Venezuela, discovered in late 2025 and early 2026. It employs batch scripts that use domain shares as triggers to coordinate execution across networks. These scripts disable security services and lock out users to prepare the environment for the wiper payload. The malware systematically destroys data by zeroing physical drives, deleting system restore points, clearing USN journals, and recursively deleting files. It targets older Windows operating systems and uses legitimate Windows system tools such as diskpart, robocopy, and fsutil to carry out destructive actions. The campaign shows evidence of long-term domain access prior to the attack, with the malware compiled months before deployment. There are no ransom demands or financial motivations, indicating a purely destructive intent. No patches or official remediation guidance are available, and no known exploits in the wild have been reported.
Potential Impact
The impact of Lotus Wiper is severe data destruction affecting targeted systems in the energy and utilities sector in Venezuela. The malware wipes physical drives, deletes restore points, and removes system logs, resulting in loss of data and system recovery capabilities. This can cause significant operational disruption in critical infrastructure environments. There is no financial extortion component, so the impact is purely destructive. The targeting of older Windows systems and use of legitimate system tools complicates detection and response.
Mitigation Recommendations
No official patches or remediation guidance are currently available for Lotus Wiper. Since the malware targets older Windows systems and uses legitimate system tools, organizations should focus on proactive defense measures such as restricting use of administrative tools, monitoring for unusual batch script execution, and limiting domain share access. Incident response should prioritize containment and recovery planning given the destructive nature of the malware. Patch status is not yet confirmed — check vendor advisories and trusted threat intelligence sources for updates.
Indicators of Compromise
- hash: 0b83ce69d16f5ecd00f4642deb3c5895
- hash: b41d0cd22d5b3e3bdb795f81421a11cb
- hash: c6d0f67db6a7dbf1f9394d98c1e13670
Highly destructive Lotus Wiper used in a targeted attack
Description
Lotus Wiper is a highly targeted destructive malware campaign discovered targeting the energy and utilities sector in Venezuela during late 2025 and early 2026. The attack uses batch scripts to coordinate execution across networks, disable security services, lock out users, and prepare systems for data destruction. The malware wipes physical drives by overwriting with zeros, deletes restore points, clears USN journals, and recursively deletes files. It targets older Windows systems and leverages legitimate system tools such as diskpart, robocopy, and fsutil. Unlike ransomware, Lotus Wiper has no financial motive and is designed solely for data destruction. Evidence indicates attackers had long-term domain access before deployment, with the malware compiled months in advance. No known exploits in the wild or patches are documented.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Lotus Wiper is a destructive malware campaign targeting the energy and utilities sector in Venezuela, discovered in late 2025 and early 2026. It employs batch scripts that use domain shares as triggers to coordinate execution across networks. These scripts disable security services and lock out users to prepare the environment for the wiper payload. The malware systematically destroys data by zeroing physical drives, deleting system restore points, clearing USN journals, and recursively deleting files. It targets older Windows operating systems and uses legitimate Windows system tools such as diskpart, robocopy, and fsutil to carry out destructive actions. The campaign shows evidence of long-term domain access prior to the attack, with the malware compiled months before deployment. There are no ransom demands or financial motivations, indicating a purely destructive intent. No patches or official remediation guidance are available, and no known exploits in the wild have been reported.
Potential Impact
The impact of Lotus Wiper is severe data destruction affecting targeted systems in the energy and utilities sector in Venezuela. The malware wipes physical drives, deletes restore points, and removes system logs, resulting in loss of data and system recovery capabilities. This can cause significant operational disruption in critical infrastructure environments. There is no financial extortion component, so the impact is purely destructive. The targeting of older Windows systems and use of legitimate system tools complicates detection and response.
Mitigation Recommendations
No official patches or remediation guidance are currently available for Lotus Wiper. Since the malware targets older Windows systems and uses legitimate system tools, organizations should focus on proactive defense measures such as restricting use of administrative tools, monitoring for unusual batch script execution, and limiting domain share access. Incident response should prioritize containment and recovery planning given the destructive nature of the malware. Patch status is not yet confirmed — check vendor advisories and trusted threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/tr/lotus-wiper/119472/"]
- Adversary
- null
- Pulse Id
- 69e76908461fbf60038d0105
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0b83ce69d16f5ecd00f4642deb3c5895 | — | |
hashb41d0cd22d5b3e3bdb795f81421a11cb | — | |
hashc6d0f67db6a7dbf1f9394d98c1e13670 | — |
Threat ID: 69e794b519fe3cd2cdde14d4
Added to database: 4/21/2026, 3:16:05 PM
Last enriched: 4/21/2026, 3:31:13 PM
Last updated: 4/21/2026, 7:10:50 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.