A sophisticated cyberattack involving a newly identified wiper malware has been detected in Venezuela’s energy and utilities sector, according to cybersecurity experts at Kaspersky. The threat, known as Lotus Wiper, has been utilized in recent attacks aimed at disrupting operations within this critical industry.
Targeted Cyber Assault on Venezuelan Energy
The attack specifically targeted a Venezuelan organization, employing batch scripts to compromise defenses and facilitate the deployment of the Lotus Wiper. This malware, likely compiled in September 2025, was publicly shared in mid-December, indicating a coordinated and strategic approach to cyber warfare.
Kaspersky’s analysis revealed that the wiper effectively dismantles recovery systems and erases data across multiple drives, rendering the affected systems inoperable. The absence of any ransom demands or extortion tactics underscores the malware’s focused intent on causing destruction rather than financial gain.
Implications of Geopolitical Tensions
The timing of this cyberattack coincides with heightened geopolitical tension in the Caribbean region, particularly in late 2025 and early 2026. Although Kaspersky has not attributed the attack to any specific group, the broader geopolitical context suggests a potential link to these regional conflicts.
Reports have surfaced indicating that cyber operations, similar to those used in the Lotus Wiper attack, may have been part of the U.S. strategy to facilitate the extraction of Venezuelan President Nicolas Maduro in early January 2026, by targeting power grids and air defense systems.
Technical Breakdown of the Attack
The initial phase of the attack involves a batch script designed to disable Windows Interactive Services Detection, preventing alerts during the malware execution. The script was crafted to exploit older Windows versions where this service remains active.
Another critical element is the script’s reliance on a NETLOGON share file check, which acts as a trigger to execute subsequent malicious activities across the network. This mechanism mirrors traditional backdoor techniques, employing external resources as control signals for the malware.
Subsequent scripts further disable system functionalities by altering user accounts, blocking network connections, and systematically wiping data from logical drives. These actions are followed by the execution of a pre-positioned binary, leading to the final deployment of the Lotus Wiper.
In conclusion, the use of Lotus Wiper highlights the evolving nature of cyber threats targeting critical infrastructure. The attack not only disrupted operations but also exemplified the increasing sophistication of cyberweaponry in geopolitical conflicts. Ongoing vigilance and advanced security measures are essential to mitigate the impact of such targeted cyberattacks in the future.
