A previously undocumented data-wiping malware called Lotus was deployed in targeted attacks against Venezuelan energy and utility organizations in late 2025. Analyzed by Kaspersky, the malware uses two preparatory batch scripts to disable defenses, enumerate and lock out users, and disable network interfaces before executing the final wiper payload. Lotus operates at a low level using IOCTL calls to overwrite physical disk sectors with zeros, delete restore points, clear USN journals, and fill free space to prevent recovery. The attacks coincide with geopolitical tensions in Venezuela and a cyberattack on state oil company PDVSA. Defenders are advised to monitor for suspicious use of diskpart, robocopy, and fsutil, as well as NETLOGON share changes and mass account modifications, and to maintain validated offline backups.
Sort: