Lotus Wiper Destroys Data in Energy Sector Attacks
Key Takeaways Lotus Wiper, a newly identified malware, has been deployed in targeted, destructive attacks against the energy sector. The malware is designed for irreversible data destruction, wiping...
Key Takeaways
- Lotus Wiper, a newly identified malware, has been deployed in targeted, destructive attacks against the energy sector.
- The malware is designed for irreversible data destruction, wiping entire drives and making system recovery impossible.
- Initial indications suggest geopolitical motivations behind the attacks, which surfaced amidst rising tensions in the Caribbean region in late 2025 and early 2026.
- Threat actors had prepared for months, compiling the wiper in late September 2025 before its deployment.
A new and highly destructive malware, dubbed Lotus Wiper, has been observed in attacks specifically targeting organizations within the energy sector. This sophisticated wiper is engineered for complete data obliteration, leaving compromised systems beyond recovery. Unlike typical ransomware, Lotus Wiper exhibits no financial motivation, instead focusing solely on causing maximum operational disruption through permanent data destruction across entire drives.
Table Of Content
The campaign emerged into public view during a period of escalating geopolitical tensions in the Caribbean, spanning late 2025 and early 2026. Evidence linked to the attack was uploaded from a Venezuelan machine in mid-December 2025 to a publicly accessible repository. Analysis revealed the malware had been compiled months prior, in late September 2025, suggesting a prolonged and deliberate preparation phase by the threat actors.
Analysts and researchers at Securelist identified the malicious artifacts during their routine investigations into new threats. Their examination of the sample uncovered distinct indicators pointing to an energy and utilities sector organization as the intended victim. The absence of any ransom notes or payment demands within the malware’s code reinforces the assessment that this was a purely destructive operation, devoid of any financial objectives.
This attack is believed to be highly targeted and driven by geopolitical motives. Lotus Wiper systematically eliminates recovery mechanisms, overwrites physical drives with zeros, and deletes files across all accessible volumes. Its destructive capabilities place it alongside notorious threats like NotPetya (2017) and HermeticWiper (2022), which have historically inflicted severe damage on critical infrastructure.
The malware attempts to blend in with legitimate system processes by masquerading as HCL Domino application components, using filenames such as nstats.exe, nevent.exe, and ndesign.exe. This tactic strongly suggests that the attackers had already established prior access to the victim systems and had pre-staged these malicious executables, indicating earlier backdoor activity on the compromised hosts.
How the Infection Chain Works
The destructive sequence initiates with a batch script named OhSyncNow.bat. This script first establishes a working directory, typically C:lotus, and then attempts to disable the Interactive Services Detection service (UI0Detect). This Windows service, which would otherwise alert users to background activity, was removed by Microsoft from Windows 10 version 1803 onwards. Its targeted disabling implies that the attackers specifically focused on legacy systems where this service remains active.
Following this, the script checks for a remote XML flag file, OHSync.xml, located on the domain’s NETLOGON share. The presence of this file acts as a network-based trigger, signaling the commencement of execution across all machines within the domain. If the trigger file is detected, a secondary batch script, notesreg.bat, is launched. This script is designed for single execution and proceeds to enumerate local user accounts, randomize their passwords, mark them as inactive, disable cached logins, log off active sessions, and shut down all network interfaces using netsh. Crucially, it also executes diskpart clean all against every logical drive, overwriting the entire disk content with zeros.
After the batch scripts prepare the environment, the main payload, Lotus Wiper, activates. It first decrypts its own executable using XOR before running. Once active, it elevates administrative privileges, deletes all Windows System Restore points by leveraging the srclient.dll API, and then fills each disk sector with zeros using low-level IOCTL disk commands. The wiper also uses fsutil to create a file that consumes all available free space, further degrading storage capacity. Files are subsequently zeroed out using FSCTL_SET_ZERO_DATA, renamed with random hexadecimal strings, and finally deleted.

For files that are currently in use and cannot be immediately deleted, the wiper employs MoveFileExW to schedule their deletion upon the next system restart.
What You Should Do
- Audit and Monitor Domain Shares: Regularly audit permissions and monitor file activity on domain shares, particularly the NETLOGON share, for any unauthorized changes or suspicious file placements like
OHSync.xml. - Review Security Logs: Implement robust security log analysis to detect signs of credential abuse, token manipulation, or privilege escalation attempts that could indicate pre-compromise activity.
- Monitor Native Tool Usage: Actively monitor for unusual or excessive usage of built-in Windows utilities such as
fsutil,robocopy, anddiskpart, as these are frequently abused by attackers to evade traditional security defenses. - Strengthen Backup and Recovery: Ensure all critical data is backed up to secure, isolated locations and regularly test data restoration procedures to confirm recoverability in the event of a destructive incident.
- Patch and Update Systems: Prioritize patching and updating operating systems and applications, especially on legacy systems, to address vulnerabilities that could be exploited for initial access or privilege escalation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.