Kaspersky has disclosed a previously undocumented data-wiping malware called Lotus Wiper, used in a destructive campaign against Venezuela’s energy and utilities sector in late 2025 and early 2026. The malware overwrites physical disk sectors and eliminates all recovery options, making remediation impossible — no ransom demand was ever made, pointing to sabotage rather than financial motivation.
Lotus Wiper Malware: What We Know So Far
Lotus Wiper was compiled in late September 2025. A sample linked to the campaign was uploaded to a public malware repository in mid-December from a computer in Venezuela. The full extent of affected organizations has not been publicly confirmed, but Kaspersky’s analysis identifies energy firms and utilities as the primary targets.
Unlike ransomware — which preserves the possibility of decryption — Lotus Wiper is designed for irreversible destruction. The malware operates at the physical disk level via IOCTL calls, executing the following sequence:
- Disk geometry enumeration — maps physical drive structure before destructive operations begin
- USN journal clearing — removes the NTFS update sequence number journal, eliminating file-change history used for forensic recovery
- Shadow copy and restore point deletion — removes VSS snapshots that would otherwise allow rollback
- Physical sector overwrite — overwrites raw disk sectors, not just logical volumes, making data irrecoverable even with forensic tools
Two batch scripts coordinate the destructive phase across the network, weakening system defenses and disrupting normal operations before deobfuscating and executing the final wiper payload. Kaspersky’s analysis highlights sophisticated living-off-the-land (LotL) techniques: the attack leans heavily on native Windows tooling to blend with legitimate administrative activity, reducing the footprint detectable by EDR solutions.
No CVE has been assigned — Lotus Wiper is purpose-built malware, not an exploit of a known vulnerability. The attack vector used to gain initial access to the target networks has not been publicly confirmed at time of writing. Monitor Kaspersky’s SecureList for updated indicators of compromise.
Why Lotus Wiper Malware Matters
The absence of a ransom demand is the key signal here. Lotus Wiper is not ransomware that happened to be poorly written — it is a purpose-built tool for destruction. The geopolitical timing is notable: the malware was compiled in September 2025, deployed against Venezuelan energy infrastructure in late 2025, and the campaign coincided with intensifying political instability in the country, including the capture of Venezuela’s then-president Nicolás Maduro on January 3, 2026.
Destructive wiper attacks against energy and utility infrastructure carry outsized operational risk. Unlike IT environments where wiped systems can be restored from clean backups, OT and ICS environments often run legacy systems with poorly maintained backup cycles. An irreversible disk-level wipe can knock out billing systems, SCADA interfaces, and operational monitoring platforms simultaneously.
The LotL methodology also complicates detection. Defenders cannot rely on signature-based AV to catch attacks that use built-in Windows binaries like diskpart, vssadmin, or IOCTL calls routed through legitimate system processes. Behavioral detection tuned to abnormal disk operations, bulk shadow copy deletion, and unusual IOCTL call chains is required.
Lotus Wiper Malware: What You Should Do Now
If you operate OT, ICS, or energy-sector infrastructure — or if you manage IT environments that support operational technology — take these steps:
- Audit VSS and restore point configurations. Ensure shadow copies are enabled and verified. Consider offsite or air-gapped backups that cannot be deleted by scripts running on the host.
- Enable logging for disk IOCTL operations. Modern EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) can log raw IOCTL calls. Verify that rules alert on unusual disk geometry queries or bulk sector writes from non-storage processes.
- Alert on
vssadmin delete shadowsand similar commands. These commands have no legitimate automated use case in most environments. A behavioral rule catching any process invoking VSS deletion should trigger immediate investigation. - Segment OT networks from IT. If Lotus Wiper gained lateral movement capability through batch scripts coordinating across the network, flat network architectures amplify the blast radius. Enforce strict segmentation between IT and OT environments with unidirectional gateways where possible.
- Pull Kaspersky’s IOCs and cross-reference with your SIEM. The Kaspersky SecureList analysis contains hashes and behavioral indicators. Ingest these into your threat intelligence platform and run retroactive hunts across historical logs.
Detection and Verification Checklist
- [ ] Search SIEM/EDR for
vssadmin delete shadows /all /quietor equivalent PowerShell equivalents (Remove-WmiObject Win32_ShadowCopy) - [ ] Query for processes issuing
IOCTL_DISK_GET_DRIVE_GEOMETRYorIOCTL_DISK_FORMAT_TRACKSfrom non-storage system processes - [ ] Check for batch scripts executing across multiple hosts simultaneously via task scheduler or remote execution (PSExec, WMI)
- [ ] Verify backup integrity: confirm offsite backups are current and isolated from network-accessible paths
- [ ] Review network segmentation between IT and OT environments — look for unexpected cross-segment traffic in the weeks prior to any detection
- [ ] Validate that your EDR’s tamper protection is enabled — wipers frequently target security software first
No vendor patch is available because Lotus Wiper is not a vulnerability exploit. The defense is configuration hardening, behavioral detection, and resilient backup architecture.
Add one relevant internal link to a related blog post (e.g., a guide on OT network segmentation or wiper malware analysis) before publishing.
— Sources: Dark Reading, BleepingComputer, Kaspersky SecureList, The Hacker News, SecurityWeek
For any query contact us at contact@cipherssecurity.com
