Threats Tagged 'venezuela'

A highly targeted destructive wiper campaign dubbed 'Lotus Wiper' was discovered targeting the energy and utilities sector in Venezuela during late 2025 and early 2026. The attack begins with batch scripts coordinating execution across networks using domain shares as trigger mechanisms. These scripts disable security services, lock out users, and prepare the environment for the final payload. The Lotus Wiper systematically destroys data by wiping physical drives with zeros, deleting restore points, clearing USN journals, and recursively deleting files. Unlike ransomware, this wiper has no financial motivation or ransom demands, designed purely for data destruction. Evidence suggests attackers maintained long-term domain access prior to the attack, with the wiper compiled months before deployment. The malware targets older Windows systems and uses legitimate system tools like diskpart, robocopy, and fsutil.

A targeted malware campaign against U.S. government entities has been observed, utilizing a politically themed ZIP archive containing a loader executable and a malicious DLL. The DLL functions as a backdoor named LOTUSLITE, communicating with a hard-coded command-and-control server. The campaign demonstrates minimal technical sophistication but shows deliberate victim selection and use of geopolitical lures. Attribution analysis suggests moderate-confidence overlap with Mustang Panda tradecraft, including delivery style, loader-DLL separation, and infrastructure usage. The backdoor supports basic remote tasking and data exfiltration, indicating an espionage-focused capability. This activity reflects a trend of targeted spear phishing using geopolitical themes and reliable execution techniques like DLL sideloading.

MediumMalwareUnited KingdomGermanyFrance+5#dll sideloading#u.s. government#lotuslite