Lotus Wiper Attack Targets Venezuelan Energy Firms, Utilities
Kaspersky Lab has identified a previously unknown wiper, dubbed Lotus Wiper, used in a December 2025 attack against Venezuelan energy firms and utilities, relying on living-off-the-land techniques to disable defenses before destroying data.
Kaspersky Lab has analyzed a previously unknown wiper malware, dubbed Lotus Wiper, used in a December 2025 attack targeting Venezuelan energy firms and utilities. The attack relied heavily on living-off-the-land (LOTL) techniques and two batch scripts to disable defenses before deploying the wiper, which deletes recovery mechanisms, overwrites physical drives, and systematically destroys files. The payload targeted Petróleos de Venezuela SA (PDVSA), and the wiper samples were compiled in late September 2025. No additional samples have been found in other attacks.
The software was found on a publicly available resource and uploaded in December 2025. It used two batch scripts to coordinate the attack throughout the target's network, undermine system defenses, and hobble incident response. That was all a prelude to the final step: executing the previously unknown wiper program, Lotus Wiper, according to an analysis published by Kaspersky Lab. The samples were originally compiled in late September 2025, and the company has not found any additional samples as part of other attacks.
Lotus Wiper is effective at destroying system data and disrupting operations. The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state, the cybersecurity firm's researchers stated in their analysis. The attack is the latest destructive malware campaign targeting critical infrastructure, with Venezuelan energy companies and utilities the latest victims of data-wiping cyberattacks linked to real-world conflicts between nations.
In 2012, Saudi Arabia's state-owned oil-and-gas giant Saudi Aramco had 30,000 systems locked by the Shamoon data-wiping malware, an act attributed to Iran. The 2017 NotPetya attacks started in a Ukrainian provider of accounting software before spreading worldwide. Both Russia and Ukraine appear to have traded wiper-based cyberattacks following Russia's original seizure of Crimea in 2014 and its ongoing invasion of Ukraine, which started in 2022. Earlier this year, researchers attributed a wiper attack against Poland's power grid in late December to the Russian Sandworm group.
That's two different wiper attacks against critical infrastructure in the same months, says Collin Hogue-Spears, senior director of solution management at Black Duck, an application-security firm. "Different actors, different regions, same intent," he says. Kaspersky Lab did not attribute the Lotus Wiper attack to any actor nor identify the victim, and the company declined further comment on its research or the source of the attack.
However, the timing of the Lotus Wiper matches a cyberattack on Petróleos de Venezuela SA (PDVSA), the state-run oil-and-gas firm that suffered disruption in December following an alleged ransomware attack on Dec. 13. The company blamed the US for the attack and claimed that its operations were not affected, but independent reporting detailed that the loading of petroleum onto tankers had stalled. "This act of aggression adds to the public strategy of the US government to seize Venezuelan oil by force and piracy," the company stated in a Dec. 15 communique. "The working class of the hydrocarbon industry has faced attacks of this nature in the past. It was precisely their commitment, expertise, and loyalty that made it possible to detect and neutralize this new attack."
The company's domain, pdvsa.com, was part of the payload of the files, designating it as the targeted organization, adds Black Duck's Hogue-Spears. It's unsurprising that wiper attacks have become a go-to cyber weapon for a variety of nation-state conflicts, because the destructive attacks are an easy way to turn initial access into physical consequences, says Jimmy Wylie, a distinguished malware analyst at Dragos, an industrial and OT cybersecurity firm. "The Venezuelan attack is a continuation of a larger trend of threat groups relying on cheap but effective techniques," he says. "Wiper malware simply gets the job done with minimal development time."
On the other hand, the actors in the Lotus Wiper attack showed significant patience to map out their target's infrastructure and networks, a problem for poorly funded security teams, such as those in critical infrastructure, says Jacob Krell, senior director of secure AI solutions at Suzu Labs, a cybersecurity services firm. "Many critical energy and utilities organizations remain ill-prepared for the capabilities of a well-resourced nation-state actor," he says. "Lotus Wiper operators dwelled in the environment for months, staging binaries and preparing the terrain before executing the destructive phase. That dwell time reveals the gap."