Ddos 
A novel and devastating file wiper has been discovered targeting critical infrastructure in South America. Against the backdrop of geopolitical tensions that occurred in the Caribbean region in late 2025 and early 2026, security researchers from Kaspersky Labs have identified a coordinated campaign aimed specifically at the energy and utilities sector in Venezuela.
The malware, dubbed Lotus Wiper, represents a pure form of digital sabotage. Unlike ransomware, which seeks financial gain, this threat “aims to destroy data permanently rather than steal it or demand a ransom”.
Lotus Wiper is not a standalone tool but the final payload of a highly organized infection chain. The operation utilizes two sophisticated batch scripts to “coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations”.
Once the environment is primed, the Lotus Wiper payload initiates its destructive phase:
- Recovery Removal: The wiper systematically removes system recovery mechanisms to prevent restoration.
- Drive Overwriting: It “overwrites the content of physical drives” to ensure that data recovery is impossible.
- Total Erasure: Files are systematically deleted across all affected volumes, “ultimately leaving the system in an unrecoverable state”.
Evidence suggests that this was not a spontaneous attack. Analysis of the artifacts indicates that “the attacker had been preparing for this attack for several months”.
Key indicators of this persistence include:
- Early Compilation: The Lotus Wiper sample was compiled in late September 2025, several months before being uploaded to a public resource in mid-December.
- Environmental Familiarity: The batch scripts contained specific functionalities for older versions of Windows, leading researchers to conclude that “the attackers likely had knowledge of the environment and compromised the domain long before the attack occurred”.
Lotus Wiper joins the ranks of other infamous destructive tools like NotPetya and HermeticWiper. These threats are particularly dangerous because they “merely erase or overwrite data rendering systems unbootable and recovery impossible”.
For critical infrastructure providers, the discovery of Lotus Wiper serves as a vital reminder to “secure storage and conduct tests to ensure vital systems and data can be promptly restored”. In the world of wiper attacks, a robust and accessible backup is often the only line of defense between an operational system and a permanent total loss.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
