Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
The Lotus Wiper malware represents a sophisticated destructive cyber attack campaign targeting Venezuela’s energy and utilities sector. This previously undocumented wiper malware was first observed in mid-December 2025, though compiled in late September 2025, indicating a prolonged preparation phase for this destructive operation. Lotus Wiper attacks specifically targeted Windows-based systems within Venezuelan energy organizations during a period of heightened geopolitical tensions in the Caribbean region during late 2025 and early 2026.
The Lotus Wiper attack chain employs batch scripts and destructive malware to systematically disable system defenses, destroy disk contents, and render targeted systems permanently unrecoverable. The multi-stage attack begins with batch scripts that weaken system security, disable user accounts, and prepare the environment for the Lotus Wiper payload execution. Once deployed, Lotus Wiper removes recovery mechanisms, overwrites physical drives with zeros, clears USN journals, and systematically deletes all files across affected systems. Importantly, this destructive wiper campaign showed no ransomware or extortion mechanisms, confirming that Lotus Wiper attacks are purely destructive operations with no financial motivation behind the targeting of Venezuela’s critical energy infrastructure.
Initial Attack Stage and Environment Preparation
The Lotus Wiper attack begins with a batch script named OhSyncNow.bat that serves as the initial trigger for the destructive chain targeting Venezuelan energy organizations. This Lotus Wiper batch script establishes a local working directory at C:\lotus and immediately attempts to disable the Interactive Services Detection (UI0Detect) service, effectively suppressing visible security alerts that could expose the ongoing Lotus Wiper attack activity to system administrators.
The Lotus Wiper attack chain then checks for the presence of an XML flag file (OHSync.xml) hosted on a NETLOGON share, using a hardcoded organization name to construct the network path. This external XML file functions as a covert control signal for the Lotus Wiper operation; once detected, it triggers Lotus Wiper execution across domain-joined systems, resembling a backdoor mechanism dependent on network-accessible resources. If the Lotus Wiper trigger file is absent, execution halts; if the share is temporarily unreachable, the Lotus Wiper script introduces a randomized delay of up to 20 minutes before retrying, adding resilience and stealth to the destructive operation.
System Destruction and User Account Compromise
Once the Lotus Wiper attack is activated, a secondary script named notesreg.bat executes a one-time destructive routine. This Lotus Wiper component first checks for a marker file to avoid re-execution, deleting itself if the Lotus Wiper operation has already been performed on the target system. The Lotus Wiper script then systematically targets user accounts, excluding specific predefined names likely tied to IT personnel, by resetting passwords to random values, disabling accounts, and restricting login hours across the compromised Venezuelan energy infrastructure.
The Lotus Wiper attack further disrupts system access by disabling cached credentials through registry modification and forcibly logging off all active sessions using qwinsta. Network isolation is achieved when Lotus Wiper disables all network interfaces via netsh, effectively cutting off external communication. From there, the Lotus Wiper script escalates into full-scale destruction: it enumerates all logical drives and leverages diskpart clean all to overwrite disks with zeros, recursively overwrites directory contents using robocopy, and exhausts remaining disk space with fsutil, ensuring complete system inoperability across targeted Venezuelan energy organizations.
Payload Decryption and Wiper Deployment
The final stage of the Lotus Wiper attack introduces a binary named nstats.exe, which masquerades as a legitimate HCL Domino server component. This Lotus Wiper executable accepts two arguments: nevent.exe (an XOR-encrypted payload) and ndesign.exe (the output file), and decrypts the payload to produce the actual Lotus Wiper binary. The requirement to pre-stage these Lotus Wiper components strongly indicates that the attackers had already established a foothold within Venezuelan energy infrastructure before Lotus Wiper detonation.
Additionally, the deliberate targeting of legacy Windows features by Lotus Wiper, such as UI0Detect, suggests the attackers possessed detailed understanding of the victim’s infrastructure. Timeline analysis reveals that the Lotus Wiper malware was compiled in late September 2025 but only deployed months later against Venezuelan energy targets, pointing to a carefully planned and staged intrusion operation.
Multi-Phase Destruction Process
Once executed, the Lotus Wiper malware escalates its privileges to gain full administrative control and begins a multi-phase destruction process targeting Venezuelan energy systems. Lotus Wiper first removes all system restore points by dynamically loading srclient.dll and invoking the System Restore API, ensuring that recovery options are eliminated from compromised energy infrastructure systems.
Lotus Wiper then wipes physical drives by querying disk geometry via IOCTL_DISK_GET_DRIVE_GEOMETRY_EX and overwriting all sectors with zeros. Between these Lotus Wiper wipe cycles, the malware enumerates mounted volumes and spawns parallel threads to erase USN journal entries and delete files at scale across Venezuelan energy systems. Individual file destruction by Lotus Wiper involves zeroing data regions, renaming files to random hexadecimal strings to obscure their identity, and deleting them using native Windows APIs.
In cases where files are locked, Lotus Wiper defers deletion until reboot using MoveFileExW. This Lotus Wiper destruction process is repeated in multiple passes, with additional restore point removal after each cycle, ensuring irrecoverable damage to targeted Venezuelan energy infrastructure. The Lotus Wiper operation concludes with a system-level update call to reflect disk changes, leaving the compromised machine effectively unusable.
Audit NETLOGON and Domain Shares
Organizations should review permissions and file activity on domain shares, specifically monitoring the NETLOGON share for unauthorized file additions or modifications. The Lotus Wiper attack chain uses shared XML files as trigger mechanisms to coordinate wiper execution across domain-joined hosts in Venezuelan energy infrastructure, making NETLOGON share monitoring critical for detecting Lotus Wiper deployment attempts.
Monitor for Unauthorized Service Manipulation
Deploy detection rules for attempts to query, stop, or disable system services such as UI0Detect using sc.exe. This behavior was used during the Lotus Wiper attack to suppress visible warnings during the initial attack phase against Venezuelan energy organizations, making service manipulation monitoring essential for early Lotus Wiper detection.
Detect Mass Account Manipulation
Alert on bulk password changes and account deactivation events (Windows Event 4724) across local user accounts, particularly when performed in rapid succession by scripted processes rather than administrative workflows. The Lotus Wiper campaign systematically disabled user accounts across Venezuelan energy infrastructure, making account manipulation detection a critical indicator of Lotus Wiper activity.
Block Living-off-the-Land Abuse
Monitor and restrict unusual use of built-in system utilities including fsutil, robocopy, diskpart, netsh, and qwinsta, especially when invoked from non-standard directories or batch scripts. The Lotus Wiper attackers relied on these legitimate tools for disk destruction and network isolation within Venezuelan energy systems, making detection of abnormal system utility usage vital for preventing Lotus Wiper attacks.
Restrict Network Interface Changes
Implement controls to alert on or prevent unauthorized disabling of network interfaces via netsh. Lotus Wiper used this technique to isolate compromised Venezuelan energy systems from external communication and impede incident response, making network interface monitoring essential for detecting Lotus Wiper lateral movement and isolation tactics.
Harden Cached Credential Policy
Enforce group policy settings for CachedLogonsCount and monitor for unauthorized registry modifications to the Winlogon key. The Lotus Wiper attack manipulated this value to prevent domain users from logging in without network connectivity across Venezuelan energy infrastructure, making credential policy hardening critical for resilience against Lotus Wiper attacks.
Implement Immutable and Offline Backups
Maintain air-gapped or immutable backup copies of critical systems and data, and regularly test restoration procedures. Wiper attacks like Lotus Wiper are specifically designed to render systems permanently unrecoverable, making resilient backup strategies the primary recovery mechanism for organizations facing destructive Lotus Wiper campaigns targeting critical infrastructure like Venezuela’s energy sector.
Execution
Persistence
Defense Evasion
Discovery
Lateral Movement
Credential Access
Impact
MD5 Hashes
SHA256 Hashes
Get through updates and upcoming events, and more directly in your inbox