A newly discovered malware family dubbed Lotus Wiper has been used in a targeted, destructive cyber-attack against the energy and utilities sector in Venezuela. Unlike ransomware, this threat does not ask for payment or lock files to extort victims — it simply destroys them. Lotus Wiper irreversibly overwrites drives, deletes files, and leaves systems in a state from which recovery is effectively impossible.
A Geopolitically Motivated Operation
The attack surfaced against a backdrop of rising geopolitical tensions in the Caribbean region in late 2025 and early 2026. Artifacts tied to the incident were uploaded to a public malware repository from a machine in Venezuela in mid-December 2025. The binaries themselves were compiled in late September 2025, indicating that the operators had been preparing the operation quietly for several months before pulling the trigger.
Researchers from Kaspersky’s Securelist team, who identified and classified the artifacts during routine threat hunting, noted internal markers within the sample pointing to a specific energy and utilities organization as the intended victim. The complete absence of any extortion messaging or payment instructions in the code confirmed this was a purely destructive operation with no financial component.
Parallels to NotPetya and HermeticWiper
Lotus Wiper joins a small but notorious category of cyber weapons designed to cripple critical infrastructure. The 2017 NotPetya outbreak and the 2022 HermeticWiper campaign against Ukrainian targets both showed how wiper malware can cause billions of dollars in damage and disrupt essential services. Lotus Wiper is being characterized by analysts as a regional, politically driven continuation of that trend.
Masquerading as HCL Domino
The malware masquerades as legitimate HCL Domino application components, using filenames such as nstats.exe, nevent.exe, and ndesign.exe to blend in with normal enterprise software activity. This strongly suggests the attackers already had prior access to the victim environment and had staged the malicious executables in advance — a hallmark of earlier backdoor activity on the compromised hosts.
How the Infection Chain Works
Execution begins with a batch script named OhSyncNow.bat, which serves as the entry point for the destructive sequence. The script:
- Identifies a working directory (typically
C:\lotus). - Attempts to disable the Interactive Services Detection service (
UI0Detect) to suppress user-visible alerts about suspicious background activity. Because this service was removed starting with Windows 10 version 1803, its presence suggests the attackers were specifically targeting legacy systems. - Checks for a remote XML flag file (
OHSync.xml) on the domain’s NETLOGON share — a network-based trigger that allows the operators to fan out destruction across many hosts simultaneously.
Once the trigger fires, the wiper aggressively removes recovery mechanisms, overwrites physical drives with zeros, and systematically deletes files across all affected volumes. Because the malware targets the disk at a low level and destroys shadow copies and recovery partitions, traditional backup-less recovery is impossible on wiped hosts.
Why This Attack Matters
Lotus Wiper is a sharp reminder that the threat landscape against critical infrastructure continues to evolve beyond ransomware. Destructive attacks are increasingly being used as instruments of coercion, sabotage, and geopolitical signaling, and the energy sector — already under pressure from regulators and ransomware crews — must now also contend with adversaries whose goal is outright destruction.
Defensive Priorities
Operators of energy, water, and industrial-control environments should prioritize:
- Offline, immutable backups that are regularly tested for rapid restoration.
- Strict segmentation between enterprise IT and OT networks, with tightly controlled jump hosts.
- Detection content for suspicious activity on NETLOGON shares, unusual batch scripts, and binaries masquerading as HCL Domino components.
- Threat hunting for prior-compromise indicators, since Lotus Wiper requires staging and almost certainly implies an earlier, undetected backdoor on victim hosts.
- Incident response playbooks specifically for destructive attacks, where the emphasis shifts from containment to continuity.
As Lotus Wiper demonstrates, attackers targeting critical infrastructure are no longer just after profit. Defenders should assume that some adversaries are playing a long game — and plan accordingly.