Lotus Wiper is a previously undocumented destructive wiper malware identified by Kaspersky in attacks targeting the energy and utilities sector in Venezuela in late 2025 and early 2026. The campaign was assessed as highly targeted, non-financially motivated, and likely prepared for months in advance; the malware was reportedly compiled in late September 2025 and a related sample was uploaded from a machine in Venezuela in mid-December 2025. Kaspersky did not publicly attribute the operation to a specific threat actor.
The attack chain used two batch scripts to coordinate execution across the victim network, weaken defenses, and hinder incident response before launching the final wiper payload. Reported artifacts include OhSyncNow.bat and notesreg.bat, with execution coordinated via a NETLOGON-hosted XML trigger file named OHSync.xml. The scripts attempted to disable the UI0Detect service, suggesting targeting of older Windows systems, and used living-off-the-land techniques and native Windows utilities including diskpart, robocopy, fsutil, netsh, qwinsta, and logoff. The preparatory stages enumerated local accounts, changed passwords to random strings, marked accounts inactive, disabled cached logons, logged off active sessions, disabled network interfaces, wiped logical drives with diskpart clean all, mirrored folders to overwrite or delete contents, and created large files to exhaust free disk space.
The final payload was staged behind masqueraded filenames resembling HCL Domino components, including nstats.exe, nevent.exe, and ndesign.exe. nstats.exe decrypted the XOR-encrypted payload and restored the Lotus Wiper executable before execution. Once launched, Lotus Wiper enabled privileges already present in its token, deleted Windows restore points via srclient.dll APIs, overwrote physical drives and sectors with zeroes using low-level disk IOCTLs, enumerated mounted volumes, cleared USN journal data, zeroed file contents with FSCTL_SET_ZERO_DATA, renamed files to random hexadecimal names, and deleted them with DeleteFileW or MoveFileExW, scheduling removal on reboot when files were locked. Kaspersky stated the malware erases data across physical drives and deletes files throughout system storage, leaving affected machines unrecoverable.
High-confidence indicators and artifacts mentioned in reporting include the filenames OhSyncNow.bat, notesreg.bat, OHSync.xml, nstats.exe, nevent.exe, and ndesign.exe; use of the C:\lotus or %SystemDrive%\lotus working directory; and abuse of native tools and APIs associated with destructive activity. Although reporting noted timing overlap with a December 2025 cyber incident affecting PDVSA and that pdvsa.com reportedly appeared in the payload, the available content states there is no proof Lotus Wiper was used in that incident.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
26 distinct techniques documented for this family, organized by ATT&CK tactic.
The attack chain begins with a batch file called OhSyncNow.bat.
The wiper requires elevated privileges, often gained after attackers move from low-level accounts to higher access.
The malware masquerades as legitimate HCL Domino application components, with file names like nstats.exe, nevent.exe, and ndesign.exe designed to blend in with normal system activity.
"assiduously identified and deleted critical data" and "systematically deletes files across affected volumes"
and deletes files throughout a system’s storage, leaving affected machines impossible to restore.
The wiper requires elevated privileges, often gained after attackers move from low-level accounts to higher access.
Security teams should watch for token abuse, credential theft, and privilege escalation in logs.
The first argument refers to a file with XOR encryption applied to its entire contents; the decrypted contents are saved in the second file... the only purpose of nstats.exe is to decrypt and restore the wiper’s executable, which may have been encrypted to avoid detection.
"Lotus Wiper operators dwelled in the environment for months, staging binaries and preparing the terrain before executing the destructive phase."
The second batch script, if not run already, enumerates local user accounts...
"The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state," the cybersecurity firm's researchers stated.
"The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes..."
It enumerates local user accounts, changes their passwords to random strings, marks them inactive, disables cached logins, logs off active sessions, and shuts down all network interfaces using netsh.
It enumerates local user accounts, changes their passwords to random strings, marks them inactive, disables cached logins, logs off active sessions
the attackers used new wiper malware dubbed Lotus Wiper, which erases data across physical drives
The second batch script... runs the "diskpart clean all" command to wipe all identified logical drives on the system. | Once the compromised environment is prepared for destructive activity, the Lotus Wiper is launched to delete restore points, overwrite physical sectors by writing all zeroes...
It also recursively mirrors folders to overwrite existing contents or delete them using the robocopy command-line utility, and calculates available free space and utilizes fsutil to create a file that fills the entire drive to exhaust storage capacity and impair recovery.
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A destructive wiper malware used against Venezuelan energy and utilities targets. It removes recovery mechanisms, overwrites physical drives, and systematically deletes files across affected volumes, leaving systems unrecoverable. The attack also relied heavily on living-off-the-land techniques and staged binaries over months before execution.
Destructive wiper malware used in a targeted, likely geopolitically motivated attack. It disables recovery mechanisms, deletes Windows System Restore points, overwrites physical drives and disk sectors with zeros, exhausts free space, zeroes and deletes files, and can schedule deletion of locked files on reboot. It masquerades as legitimate HCL Domino components and appears to be deployed after prior access is established.
A destructive data wiper used in targeted attacks against Venezuela's energy and utilities sector. It prepares systems for destruction via batch scripts, disables defenses and recovery mechanisms, wipes logical drives, overwrites physical sectors with zeroes, clears USN journals, deletes restore points, and systematically erases files across mounted volumes to render systems inoperable.
A highly destructive wiper used against Venezuelan energy and utilities systems. It is deployed after preparatory batch scripts disable defenses and disrupt operations, then removes recovery mechanisms, overwrites physical disks with zeroes, deletes files across mounted volumes, clears logs and journals, corrupts file records, and leaves systems unrecoverable.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.