Breaking News — April 23, 2026
Cybersecurity researchers have discovered a previously undocumented data wiper dubbed Lotus Wiper that has been used in destructive attacks targeting Venezuela at the end of 2025 and start of 2026.
Key Findings
- Novel file wiper targeting energy and utilities sector in Venezuela
- Discovered by Kaspersky researchers
- Two batch scripts initiate the destructive phase and prepare the environment
- Wiper erases recovery mechanisms, overwrites physical drives, and deletes files across volumes
- No extortion or payment instructions — not financially motivated
Attack Chain
The attack begins with a batch script that triggers a multi-stage sequence:
- Stops Windows Interactive Services Detection (UI0Detect) service
- Checks for NETLOGON share and accesses remote XML file
- Introduces randomized delay of up to 20 minutes before retrying
- Second batch script enumerates user accounts, disables cached logins, logs off sessions
- Deactivates network interfaces and runs
diskpart clean allto wipe logical drives
The sample was compiled in late September 2025 and uploaded in mid-December 2025 from a machine in Venezuela — weeks before U.S. military action in the country in early January 2026.
Source: The Hacker News / Kaspersky