Lotus Wiper: Destructive Malware Targeting Venezuelan Critical Infrastructure & OT Networks
In a sophisticated display of cyber-sabotage, a new breed of destructive malware known as Lotus Wiper has been identified targeting critical energy and utility infrastructure in Venezuela. Unlike the contemporary ransomware epidemic, which operates on a model of financial extortion through encryption, Lotus Wiper is built for a singular, more ominous purpose: permanent data destruction and the absolute disruption of operational technology (OT) and information technology (IT) environments.
Technical artifacts from the attack chain surfaced on public malware-sharing repositories in mid-December 2025, originating from a machine located within Venezuela. The proximity and timing of these uploads align closely with reported disruptions in the country’s power and water sectors. Analysis of embedded metadata and file paths confirms that the scope of the attack is highly specialized, specifically targeting the utility and energy domains—a trend that mirrors the increasing targeting of critical infrastructure across Latin America and the Caribbean.
The absence of ransom notes, payment gateways, or any logic related to cryptographic extortion reinforces the consensus among threat intelligence analysts: this is not a profit-driven operation. Instead, the campaign appears to be a tool of geopolitical coercion. Intelligence suggests the attackers maintained long-term, undetected persistence within victim networks for months prior to the actual “wipe” event, with compilation timestamps dating back to late September 2025.
Orchestrated Destruction: The Batch Script Kill-Switch
The deployment of Lotus Wiper is not a single event but a highly orchestrated sequence designed to paralyze a network simultaneously. The initial stage utilizes “Living off the Land” (LotL) techniques, employing native Windows batch scripts to serve as a coordinated “kill switch.”
The execution sequence begins with OhSyncNow.bat. This script establishes a local workspace (typically C:\lotus) and attempts to disable the legacy UI0Detect (Interactive Services Detection) service—a move intended to bypass certain security visibility on older Windows deployments. Crucially, the script polls a NETLOGON share for a specific control file, OHSync.xml. This XML file acts as a network-wide semaphore; once present, it triggers the next phase of the attack across all infected hosts.
Upon detection of the trigger, the secondary script, notesreg.bat, initiates a massive lockout procedure. The script:
- Enumerates local user accounts and forces password changes to randomized values.
- Flags primary administrative and user accounts as inactive to prevent manual intervention.
- Disables cached logons via the
Winlogonregistry key to ensure users cannot log in offline. - Executes
netshcommands to administratively disable network interfaces, effectively “air-gapping” the infected machine from the security team’s ability to reach it remotely.
Following the lockout, the script shifts into a destructive posture using built-in utilities. It leverages diskpart with the clean all command to overwrite entire volumes with null bytes (zeros), destroying partition tables and file system structures. To ensure total data loss, it utilizes robocopy in mirror mode to scrub directory contents and employs fsutil to generate massive filler files, exhausting all remaining disk space to thwart forensic reconstruction attempts.
The final stage of the staging process involves a sophisticated masquerade. A fake HCL Domino executable, nstats.exe, is launched with two secondary binaries, nevent.exe and ndesign.exe, passed as arguments. Through a process of runtime decryption, nstats.exe extracts the primary Lotus Wiper payload into the secondary files, executing the final implant with elevated privileges. This complex staging implies the attackers had already successfully staged these binaries across the domain during their period of undetected persistence.
Low-Level Destruction: Lotus Wiper Internals
Once the primary Lotus Wiper payload achieves execution, it moves from script-based destruction to low-level system manipulation. The malware secures full privileges within its current access token and immediately invokes the srclient.dll System Restore API to delete all existing Volume Shadow Copies, stripping the OS of its primary recovery mechanism.
The malware then initiates a surgical wipe of the physical hardware. By querying disk geometry and utilizing low-level IOCTL (Input/Output Control) calls, it writes zeros directly to every sector of the drive. Simultaneously, it clears the USN (Update Sequence Number) Change Journal to erase the forensic trail of file modifications.

To ensure no data survives, the wiper spawns multiple threads that perform a “triple-threat” deletion: zeroing out file contents, renaming files to random hexadecimal strings to break file association, and finally invoking MoveFileExW with the MOVEFILE_DELAY_UNTIL_REBOOT flag, allowing the malware to delete files that are currently locked by the operating system.
The result is a catastrophic failure of the host system. Much like the NotPetya or HermeticWiper incidents, Lotus Wiper leaves the target machine in an unbootable and unrecoverable state.
Defensive Mitigations and Recommendations
Defending against a wiper of this caliber requires a shift from traditional malware detection to proactive hunting and structural resilience.
1. Monitor for Coordinated Triggers: Security Operations Centers (SOCs) should implement rigorous monitoring of NETLOGON and other critical domain shares. Any unexpected appearance of XML files or batch scripts in these locations should be treated as a high-severity incident.
2. Detect “Living off the Land” Abuse: Implement EDR (Endpoint Detection and Response) rules to flag anomalous, large-scale use of diskpart, robocopy, and fsutil. While these are legitimate tools, their sudden execution across multiple hosts is a hallmark of a wiper deployment.
3. Harden Identity and Privilege Management: Since Lotus Wiper requires elevated permissions, organizations must focus on Credential Hygiene. Monitor for anomalous administrative activity, token theft, and unauthorized privilege escalation. Particular attention should be paid to legacy systems that may still support vulnerable services like UI0Detect.
4. Immutable and Segmented Backups: In the event of a successful wiper attack, prevention may have failed. The only true recourse is a robust backup strategy. Organizations must maintain off-site, immutable, and segmented backups that are regularly tested against total-disk-wipe scenarios to ensure business continuity.