# Lotus Wiper: New Data Destruction Malware Unleashed Against Venezuelan Energy Infrastructure


A previously unknown data wiper malware dubbed Lotus Wiper has been identified in coordinated destructive attacks targeting Venezuela's energy and utilities sector, according to cybersecurity researchers at Kaspersky. The discovery marks the emergence of yet another destructive malware variant designed to permanently erase critical data from infected systems—raising alarms about the escalating sophistication of cyberattacks against critical infrastructure in Latin America.


## The Threat: Lotus Wiper Emerges


Lotus Wiper represents a novel addition to the growing arsenal of destructive malware families documented by security researchers in recent years. Unlike malware designed for espionage, data theft, or financial gain, Lotus Wiper's sole purpose is destruction: to systematically wipe files from infected systems, rendering data irrecoverable and disrupting critical operations.


The malware was first identified in attacks dating back to late 2025 and continuing into early 2026, with Venezuela's energy and utilities infrastructure serving as the primary target. The discovery underscores a troubling trend in which nation-state actors and sophisticated threat groups increasingly deploy destructive malware to cripple critical infrastructure, particularly in politically sensitive regions.


Key characteristics of Lotus Wiper:

  • Designed specifically for data destruction and permanent file erasure
  • Uses batch scripts to automate the wiping process
  • Targets critical infrastructure in the energy sector
  • Represents previously unknown malware family

    • ## Technical Architecture and Execution Method


    According to Kaspersky's analysis, Lotus Wiper employs a relatively straightforward but effective approach: two primary batch scripts orchestrate the attack. These scripts work in tandem to identify, target, and systematically destroy files on infected systems.


    The batch script methodology provides several tactical advantages for attackers:


    | Aspect | Technical Detail |

    |--------|-----------------|

    | Execution Environment | Native Windows batch processing (cmd.exe) |

    | Stealth Level | Moderate—relies on legitimate system tools |

    | Persistence Method | Likely leverages scheduled tasks or startup mechanisms |

    | Target Specificity | Appears configured for critical infrastructure systems |

    | Recovery Difficulty | Very high—file destruction is often permanent |


    The use of batch scripts rather than compiled executable payloads suggests the attackers prioritized reliability and simplicity over evasion. Batch-based approaches are less likely to trigger signature-based detection but offer predictable, reproducible execution—critical when targeting critical infrastructure where reliability of attack delivery is paramount.


    Once deployed, the malware systematically identifies and destroys data across multiple storage locations, making recovery extremely difficult without offline backups. The destructive nature of the attack distinguishes Lotus Wiper from other malware families that focus on exfiltration or encryption for ransom purposes.


    ## Campaign Scope and Targeting


    Venezuela's energy sector represents a strategically significant target. The nation has experienced repeated cyberattacks against its power grid and utilities infrastructure in recent years, with some attributed to state-sponsored actors. The targeting of Venezuelan infrastructure suggests that Lotus Wiper may be part of a broader, coordinated cyber campaign with geopolitical implications.


    The timing of the attacks—spanning late 2025 through early 2026—suggests a sustained campaign rather than a one-off incident. This extended operational window indicates the attackers maintained access to target networks for an extended period, likely using initial access methods such as:


  • Spear-phishing campaigns targeting critical infrastructure personnel
  • Exploitation of unpatched vulnerabilities in internet-facing systems
  • Compromised credentials obtained through previous breach activity
  • Supply chain compromise affecting infrastructure operators

    • The fact that Kaspersky identified and documented the malware indicates at least one successful intrusion, though the full scope of affected systems and data loss remains unclear.


    ## Broader Context: Data Wiper Malware Trends


    Lotus Wiper joins a concerning lineup of destructive malware families that have emerged or expanded in recent years. Notable predecessors include:


  • WhisperGate (2021–2022): Destructive malware deployed against Ukrainian infrastructure during the Russia-Ukraine conflict
  • HermeticWiper (2022): Used in attacks against Ukrainian organizations
  • AcidRain (2022): Targeted modems and network equipment in Ukraine
  • IsaacWiper (2022): Focused on data destruction in Eastern Europe

    • The pattern of destructive malware emergence often correlates with geopolitical tensions and conflicts. The deployment of Lotus Wiper against Venezuelan infrastructure suggests either state-level involvement or a threat actor with nation-state-level operational capability.


    ## Implications for Critical Infrastructure Security


    The discovery of Lotus Wiper carries serious implications for organizations operating in critical infrastructure sectors:


    ### Operational Risk

    Data destruction attacks can halt operations, prevent rapid recovery, and cause cascading failures across interconnected systems. Energy infrastructure dependency means outages cascade to hospitals, communications, water systems, and other essential services.


    ### Regulatory and Compliance Impact

    Affected organizations must notify regulators and potentially customers or the public about data loss. Depending on jurisdiction and data involved, this may trigger mandatory breach disclosures and regulatory investigations.


    ### Attribution and Response Complexity

    Destructive attacks are inherently difficult to attribute definitively. Organizations must determine whether the attack represents state-sponsored activity, which carries different threat assessment and response implications than criminal actors.


    ### Recovery and Business Continuity

    Organizations without comprehensive offline backups may face extended recovery timelines. Data permanently destroyed without backup cannot be recovered through any technical means.


    ## Recommendations for Organizations


    Immediate Actions:


  • Inventory critical data: Identify systems and data essential to operations
  • Test backup integrity: Verify that offline backups are truly isolated and restorable
  • Review access controls: Audit authentication and authorization to critical systems
  • Monitor for indicators: Search systems for evidence of suspicious batch script execution or file deletion activity

    • Strategic Improvements:


  • Implement 3-2-1 backup strategy: Three copies of critical data, on two different media types, with one copy offline
  • Deploy SIEM solutions: Centralized logging and monitoring enables rapid detection of destructive activity
  • Conduct incident response drills: Test organizational ability to detect and respond to attacks
  • Segment networks: Isolate critical infrastructure networks from general IT environments
  • Apply security patches: Systematically patch vulnerabilities that could enable initial access
  • Enhance threat intelligence: Subscribe to alerts regarding destructive malware variants targeting your sector

    • ## Looking Ahead


    As Lotus Wiper demonstrates, the threat landscape continues to evolve with new destructive malware variants targeting critical infrastructure. The emergence of novel data wipers suggests threat actors are developing specialized tools for destructive campaigns—moving beyond conventional ransomware and espionage tactics.


    Organizations operating critical infrastructure must recognize that destructive malware represents an asymmetric threat: defenders must prevent attacks; attackers need only succeed once. The discovery of Lotus Wiper serves as a critical reminder that comprehensive cybersecurity, robust backups, and rapid incident response capabilities are not optional—they are essential.


    For the latest cybersecurity threat intelligence and analysis, follow HackWire's ongoing coverage of emerging malware variants and critical infrastructure security developments.