"Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload," Kaspersky said.
What Kaspersky discovered and when
Cybersecurity researchers at Kaspersky identified a previously undocumented data wiper, dubbed Lotus Wiper, used in a destructive campaign that targeted Venezuela's energy and utilities sector at the end of 2025 and the start of 2026. The artifact was compiled in late September 2025 and was uploaded to a publicly available platform from a machine in Venezuela in mid-December 2025 — weeks before a U.S. military action in the country in early January 2026. Kaspersky stressed that "it is currently not known if these two events are related," while noting the upload "occurred during a period of increased public reports of malware activity targeting the same sector and region," which the company says suggests the operation was extremely targeted.
How the attack chain operates
According to Kaspersky, Lotus Wiper's destructive sequence is coordinated by two batch scripts and a previously unknown wiper binary. The first batch script performs a series of environment checks and preparatory actions: it attempts to stop the Windows Interactive Services Detection (UI0Detect) service, checks for a NETLOGON share, and attempts to access a remote XML file. The script also looks for a local file in a directory defined as "C:\lotus" or "%SystemDrive%\lotus" and will continue to execute a second batch script regardless of that local check. If the NETLOGON share is initially unreachable, the script will introduce a randomized delay of up to 20 minutes before retrying.
Kaspersky notes the attempt to stop UI0Detect is significant because UI0Detect was removed from modern versions of Windows; its presence indicates the scripts were designed to run on machines predating Windows 10 version 1803.
What the second script and the wiper do
The second batch script escalates the destructive behavior. If it has not already run, it enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and executes the "diskpart clean all" command to wipe identified logical drives. The script also uses robocopy to mirror and overwrite or delete folders, and calculates available free space in order to use fsutil to create a file that fills the drive and exhausts storage capacity — actions intended to impair recovery.
Once the environment is prepared, the Lotus Wiper payload is launched. Kaspersky reports the wiper deletes restore points, overwrites the physical sectors of drives by writing all zeroes, clears the update sequence numbers (USN) of volumes' journals, and erases all files on each mounted volume. The combined effect, the vendor concluded, is to remove recovery mechanisms and leave systems in an inoperable state.
Indicators, defensive guidance, and attacker profiling
Kaspersky highlighted several detection and monitoring priorities. Organizations and government organizations are advised to monitor for NETLOGON share changes, evidence of credential dumping or privilege escalation activity, and the use of native Windows utilities such as fsutil, robocopy, and diskpart being used in destructive patterns. The presence of functionality targeting older Windows versions led Kaspersky to conclude that "the attackers likely had knowledge of the environment and compromised the domain long before the attack occurred," implying lateral access and reconnaissance prior to the destructive phase.
How technologists, policymakers, and affected enterprises should treat the finding
- Technologists and security teams: Watch for the specific behaviors Kaspersky flagged — NETLOGON access attempts, randomized retry logic for network shares, and the suspicious use of diskpart, robocopy, and fsutil — and prioritize detection rules around those native utilities and domain share activity.
- Policymakers and regulators: Note the timing Kaspersky documented (sample compiled in late September 2025; uploaded mid‑December 2025) and the vendor's caution that it is "currently not known if these two events are related" to the early January 2026 U.S. military action; the timeline may be material to any cross‑sector review of critical‑infrastructure incidents in the period.
- Affected enterprises and procurement leaders in Venezuelan energy and utilities: Treat the incident as an example of destructive, non‑extortionate malware that targets recovery mechanisms and old OS features; prioritize monitoring of domain shares, credential hygiene, and the presence of legacy Windows systems that could be targeted for such scripts.
Lotus Wiper stands apart for its catalogue of destructive techniques: coordinated batch scripts, native Windows utilities repurposed to erase and exhaust storage, wiping of system restore points, zero‑writing of physical sectors, and clearing of USN journals. Kaspersky's findings portray an operator who sought to make recovery difficult or impossible, rather than extract ransom, and whose tools indicate prior knowledge of the target environment.
The central unanswered fact remains whether the public upload in mid‑December 2025 and the later military activity in early January 2026 are related — Kaspersky says that link is unknown. Meanwhile, defenders in the region and organizations with similar legacy footprints have a narrowly circumscribed set of artifacts and behaviors to hunt for and harden against.
