A prior to now undocumented data-wiping malware dubbed Lotus used to be used final yr in centered assaults towards power and utilities organizations in Venezuela.
The malware used to be uploaded to a publicly to be had platform in mid-December from a device in Venezuela and has been analyzed by way of researchers at Kaspersky.
Sooner than the cripling level, the attacker depends upon two batch scripts that get ready the machine for the overall payload by way of weakening defenses and obstructing customary operations.
In line with the researchers, the Lotus data-wiping malware is designed to fully damage compromised techniques by way of overwriting bodily drives and getting rid of restoration choices.
“The wiper gets rid of restoration mechanisms, overwrites the content material of bodily drives, and systematically deletes recordsdata throughout affected volumes, in the end leaving the machine in an unrecoverable state,” Kaspersky says in a file as of late.
Given the timing, the noticed job aligns with geopolitical tensions within the area, which culminated this yr on January 3 with the seize of Venezuela’s then-president, Nicolás Maduro.
Round mid-December 2025, the state-owned oil corporate Petróleos de Venezuela (PDVSA) suffered a cyberattack that disabled its supply techniques. The group blamed america for the incident.
It will have to be famous that there’s no public proof indicating that PDVSA’s techniques had been wiped within the assault or information about the character of the assault.
Initial job
Kaspersky’s file notes that the assaults start with the execution of a batch script (OhSyncNow.bat) that disables the Home windows ‘UI0Detect’ provider, and plays an XML record test to coordinate execution throughout domain-joined techniques.
A second-stage script (notesreg.bat) is done when positive stipulations are met. It enumerates customers, disables accounts by means of password adjustments, logs off energetic periods, disables all community interfaces, and deactivates cached logins.
The malicious code then enumerates drives and runs ‘diskpart blank all’ to overwrite them with zeros. It additionally makes use of ‘robocopy’ to overwrite listing contents, Kaspersky discovered.
Within the subsequent segment, it calculates the unfastened house and makes use of ‘fsutil’ to create a record that fills the disk, making it tougher to revive the wiped information.
After making ready the surroundings for information destruction and doing some wiping movements itself, the batch script decrypts and executes the Lotus wiper as the overall payload.
Lotus wiper deployment
The Lotus wiper operates at a decrease point, interacting with disks by means of IOCTL calls, retrieving the disk geometry, clearing USN magazine entries, wiping repair issues, and overwriting bodily sectors, now not simply logical volumes.
The malware plays more than one movements, summarized as follows:
- Permits all privileges in its token to realize administrative-level get right of entry to.
- Deletes all Home windows repair issues the usage of the Home windows Machine Repair API.
- Wipes bodily drives by way of retrieving disk geometry and overwriting all sectors with zeroes.
- Clears the USN magazine to take away strains of record machine job.
- Deletes recordsdata by way of zeroing their contents, renaming them randomly, and taking out them (or scheduling deletion on reboot if locked).
- Repeats cycles of pressure wiping and repair level deletion more than one occasions.
- Updates disk houses the usage of IOCTL_DISK_UPDATE_PROPERTIES after the overall wipe.
Kaspersky means that machine directors will have to track for NETLOGON percentage adjustments, UI0Detect manipulation, mass account adjustments, and disabling of community interfaces, that are all precursor actions.
They are saying that sudden utilization of ‘diskpart,’ ‘robocopy,’ and ‘fsutil’ may be a pink flag.
A normal advice towards wipers and ransomware is to care for common offline backups whose restorability is continuously validated.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Self reliant Validation Summit (Might 12 & 14), see how self sustaining, context-rich validation unearths what is exploitable, proves controls grasp, and closes the remediation loop.
Declare Your Spot
