An illegal data-wiping malware called Lotus was used last year in attacks targeting energy and utility companies in Venezuela.
The malware was uploaded to the public domain in mid-December from a machine in Venezuela and has been analyzed by Kaspersky researchers.
Before the disabling phase, the attacker relies on two batch scripts that prepare the system for the final payload by weakening defenses and preventing normal operations.
According to researchers, the Lotus data-wiping malware is designed to completely destroy vulnerable systems by overwriting physical drives and removing recovery options.
“The wiper removes recovery methods, overwrites the contents of physical drives, and systematically deletes files from all affected volumes, ultimately leaving the system in an undetectable state,” Kaspersky said in a report today.
Given the timing, the observed activity coincides with the political tensions in the region, which reached a climax this year on January 3 with the capture of the president of Venezuela at the time, Nicolás Maduro.
In mid-December 2025, the state-owned oil company Petróleos de Venezuela (PDVSA) suffered a cyberattack that crippled its delivery systems. The organization blamed the United States for the incident.
It should be noted that there is no public evidence showing that PDVSA systems were wiped from the attack or details about the nature of the attack.
First job
Kaspersky’s report notes that the attack begins with the use of a batch script (OhSyncNow.bat) that disables Windows. ‘UI0Detect’ service, and perform XML file testing to integrate functionality across all domain-joined systems.
A second stage script (notesreg.bat) is executed when certain conditions are met. It lists users, disables accounts with password changes, closes active sessions, disables all network connections, and disables saved logins.
The malicious code then enumerates the drives and executes ‘diskpart clean all’ writing them with zero. It also uses ‘robocopy’ to overwrite the contents of the directory, Kaspersky has been detected.
In the next section, it lists free space and usage ‘fsuthi‘ to create a file that fills the disk, making it difficult to recover deleted data.
After preparing the data destruction environment and performing other self-erasure actions, the batch script decrypts and releases the Lotus eraser as the final payload.
Lotus wiper deployment
Lotus wiper works at a low level, interacting with disks via IOCTL calls, finding disk geometry, erasing USN journal entries, erasing restore points, and overwriting physical sectors, not just logical volumes.
Malware performs a number of actions, summarized as follows:
- It enables all rights to its token to gain access to the administrative level.
- Removes all Windows restore points using the Windows System Restore API.
- Erases physical drives by removing the disk geometry and overwriting all sectors with zeros.
- Clears the USN journal to remove traces of file system activity.
- Deletes files by suspending their contents, renaming them randomly, and deleting them (or scheduling deletion on restart if locked).
- It repeats the drive erase cycles and restore point deletion multiple times.
- Updates disk properties using IOCTL_DISK_UPDATE_PROPERTIES after the last wipe.
Kaspersky suggests that system administrators should monitor NETLOGON share changes, UI0Detect spoofing, super account changes, and disabling network connections, all of which are precursors.
They say the unexpected use of ‘diskpart,’ ‘robocopy’ again ‘fsutil’ again a red flag.
A general recommendation against wipers and ransomware is to keep regular offline backups whose recovery is always guaranteed.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
