Lotus Wiper Targeted Venezuelan Energy Sector Before Maduro Capture

Kaspersky researchers have publicly disclosed Lotus, a previously undocumented data wiper that targeted Venezuelan energy and utilities organizations. The malware was uploaded to a public scanning platform from a Venezuelan machine in mid-December 2025—the same week state oil company PDVSA suffered a crippling cyberattack that disrupted export operations.

The timing places Lotus alongside rising geopolitical tensions: US authorities had seized a sanctioned PDVSA tanker carrying Venezuelan crude, and within weeks, US forces would conduct Operation Absolute Resolve to capture President Nicolás Maduro. Whether Lotus played any role in those events remains unclear, but its destructive design leaves little ambiguity about intent. The attack follows a broader pattern of nation-state actors targeting critical infrastructure that CISA has repeatedly warned about.

How Lotus Destroys Systems

Lotus operates in distinct phases, beginning with preparation scripts that systematically weaken defenses before the wiper delivers the killing blow.

Preparation Phase — Two batch scripts run first:

• OhSyncNow.bat disables the Windows UI0Detect service, which monitors for programs needing user interaction in session zero. Disabling this service allows malicious processes to execute without prompting visible alerts.
• notesreg.bat disables user accounts, shuts down network interfaces, and clears cached login credentials. This isolates the machine and prevents remote recovery attempts.

Destruction Phase — The scripts then leverage native Windows utilities to begin destroying data:

• diskpart clean all wipes partition tables and disk structures
• robocopy overwrites file contents with junk data
• fsutil fills remaining disk space to prevent forensic recovery

Wiper Execution — Finally, the Lotus executable performs low-level disk operations via IOCTL calls:

1. Retrieves disk geometry to understand physical drive layout
2. Overwrites physical drives with zeros at the sector level
3. Deletes all Windows restore points
4. Clears USN journal entries that track file changes
5. Zeroes, renames, and removes files across all volumes
6. Repeats wipe cycles multiple times for thoroughness
7. Updates disk properties to finalize changes

"The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state," Kaspersky researchers wrote.

The PDVSA Connection

On December 15, 2025, PDVSA detected what it initially described as a ransomware attack. The company's website went offline, and sources told Reuters that systems managing Venezuela's main crude terminal were knocked out. Oil cargo deliveries were suspended, and employees resorted to phone calls and handwritten reports to manage daily operations.

PDVSA publicly downplayed the incident, claiming only administrative systems were affected. But internal sources contradicted this, confirming that contractor payments, production tracking, and export operations all suffered significant disruption.

Venezuela blamed the United States, framing the attack as economic aggression following the tanker seizure. Cybersecurity researchers have not found evidence supporting that attribution.

Whether Lotus was the malware used in the PDVSA incident is unconfirmed—the wiper appeared on VirusTotal from a Venezuelan IP during the same timeframe, but direct forensic links haven't been established.

Wiper Malware Against Critical Infrastructure

Destructive malware designed purely to destroy data—not extort payment—has become a favored tool in geopolitically motivated attacks. The technique saw widespread use during the Russia-Ukraine conflict and has since appeared globally against critical infrastructure targets.

Energy sector targeting specifically has intensified. We've covered ZionSiphon, malware designed to sabotage Israeli water treatment facilities, and Amazon's exposure of Sandworm operations targeting Western energy infrastructure over multiple years. Russia-aligned actors also deployed the DynoWiper against Polish power grid operators in late 2025, according to ESET research.

The pattern is consistent: wipers provide deniability that ransomware doesn't. Unlike ransomware attacks that demand payment, there's no negotiation, no payment trail, no ongoing relationship with victims. The attack simply destroys data and disappears.

Why This Matters

Lotus demonstrates that wiper malware targeting critical infrastructure isn't limited to Eastern European conflicts. Latin America's energy sector now faces the same class of destructive attacks that have plagued Ukraine's power grid for years.

The PDVSA incident—whatever its actual technical details—showed how quickly a major oil company can revert to pre-digital operations when systems go down. Export operations halted. Payments stopped. Production tracking failed. The economic damage compounds rapidly when an organization can't simply restore from backups because the attacker has systematically eliminated that option.

For organizations running critical infrastructure systems, the defensive takeaways remain familiar but urgent:

• Maintain offline backups with tested restoration procedures—wipers specifically target recovery mechanisms
• Monitor for precursor activity: watch for unexpected diskpart, robocopy, or fsutil usage
• Detect Windows service manipulation, particularly UI0Detect and similar interactive services
• Segment networks so compromised endpoints can't reach backup infrastructure
• Assume ransomware isn't the only threat—destructive attacks provide no warning and no negotiation window

Kaspersky has not attributed Lotus to any specific threat actor. The geopolitical context surrounding Venezuela makes formal attribution complicated, and the researchers note that timing alignment with the Maduro capture operation could be coincidental or intentional.

What's clear is that the malware was built to destroy, and it targeted systems that keep the lights on.