Skip to main content
Emerging ThreatsMalware & Ransomware

Lotus Malware Targets Venezuelan Energy Firms with Data-Wiping Attacks

Destroyed electrical substation at dusk with rubble, shattered phone, and scattered papers amidst ominous cityscape.

“The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state,” Kaspersky says in a report today.

Kaspersky's description of Lotus and the observed campaign

Kaspersky reports that a previously undocumented data-wiping malware, dubbed Lotus, was used last year in targeted attacks against energy and utilities organizations in Venezuela. The sample analyzed by the company was uploaded to a publicly available platform in mid-December from a machine in Venezuela, and Kaspersky’s technical report lays out both the preparatory steps and the low-level destructive behavior of the final payload.

Chain of attacker-preparation scripts: OhSyncNow.bat and notesreg.bat

The intrusion as described by Kaspersky proceeds through two Windows batch scripts before the final Lotus payload runs. The first script, OhSyncNow.bat, disables the Windows ‘UI0Detect’ service and performs an XML file check to coordinate execution across domain-joined systems. The second-stage script, notesreg.bat, runs when those coordination checks pass and then takes a series of actions to impede recovery and isolate hosts.

  • notesreg.bat enumerates users, disables accounts by changing passwords, and forces active sessions to log off.
  • The script disables all network interfaces and deactivates cached logins, reducing the chance of remote remediation or user recovery.
  • It enumerates attached drives and invokes diskpart clean all to overwrite drives with zeroes and uses robocopy to overwrite directory contents.
  • The script also calculates free space and runs fsutil to create a file that fills remaining disk capacity, complicating forensic recovery.
  • After these preparatory actions the batch script decrypts and executes the Lotus wiper as the final payload.

Lotus wiper's destructive mechanics

According to Kaspersky, Lotus interacts with storage at a lower level than typical file-deletion malware. The wiper uses IOCTL calls to retrieve disk geometry and overwrite physical sectors, clears the USN journal, wipes Windows restore points and performs repeated cycles of destruction. Key behaviors Kaspersky documents include:

  • Enabling all privileges in its token to obtain administrative-level access.
  • Deleting all Windows restore points through the System Restore API.
  • Wiping physical drives by retrieving disk geometry and writing zeroes to all sectors—not only logical volumes.
  • Clearing the USN journal to remove records of file-system activity.
  • Deleting files by zeroing their contents, renaming them to random names, and removing them or scheduling deletion on reboot if locked.
  • Repeating wipe-and-restore-point-deletion cycles multiple times and calling IOCTL_DISK_UPDATE_PROPERTIES after the final wipe.

Context: Venezuelan energy firms and mid-December incidents

Kaspersky places the observed Lotus activity in a region of heightened geopolitical tension. The company notes that the timing aligns with events that culminated on January 3 with the capture of Venezuela’s then-president, Nicolás Maduro. Around mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) reported a cyberattack that disabled delivery systems and publicly blamed the United States for that incident; Kaspersky and the reporting make clear there is no public evidence that PDVSA’s systems were wiped or that the PDVSA incident and the Lotus campaign are the same intrusion.

What this means for PDVSA, Venezuelan energy sector, and security teams

For PDVSA and other Venezuelan energy and utility organizations, the combination of preparatory domain-wide coordination and a low-level physical-drive wiper raises the prospect of permanent operational disruption if defenders miss the early indicators Kaspersky highlights. For security teams managing affected environments, Kaspersky recommends monitoring specific behaviors that precede Lotus execution:

  • Watch for changes to NETLOGON shares and manipulation of the UI0Detect service.
  • Alert on mass account changes, forced logoffs, and disabling of network interfaces.
  • Flag unexpected or unusual use of diskpart, robocopy, and fsutil—tools the attacker used to precondition disks.
  • Maintain regular offline backups and frequently validate restorability, a general recommendation Kaspersky reiterates against destructive wipers and ransomware.

Kaspersky’s findings describe a multi-stage approach designed to deny recovery options before executing a low-level wipe that targets physical sectors and recovery artifacts. The observable sequence—from UI0Detect manipulation to diskpart clean all, fsutil disk-filling, and finally Lotus’ repeated sector overwrites—provides concrete telemetry defenders can instrument for. At the same time, the public record supplied with Kaspersky’s analysis leaves open questions about which specific organizations were impacted and whether the PDVSA December disruption and the Lotus campaign are connected; defenders will have to rely on the indicators and behaviors Kaspersky names while investigators seek fuller attribution and scope.

Original BleepingComputer story