Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Gentlemen Ransomware Exploits 21 Remote Execution Techniques
July 6, 2026
Home/Threats/Lotus Wiper Destroys Data in Energy Sector Attacks
Threats

Lotus Wiper Destroys Data in Energy Sector Attacks

Key Takeaways Lotus Wiper, a newly identified malware, has been deployed in targeted, destructive attacks against the energy sector. The malware is designed for irreversible data destruction, wiping...

David kimber
David kimber
April 22, 2026 4 Min Read
42 0

Key Takeaways

  • Lotus Wiper, a newly identified malware, has been deployed in targeted, destructive attacks against the energy sector.
  • The malware is designed for irreversible data destruction, wiping entire drives and making system recovery impossible.
  • Initial indications suggest geopolitical motivations behind the attacks, which surfaced amidst rising tensions in the Caribbean region in late 2025 and early 2026.
  • Threat actors had prepared for months, compiling the wiper in late September 2025 before its deployment.

A new and highly destructive malware, dubbed Lotus Wiper, has been observed in attacks specifically targeting organizations within the energy sector. This sophisticated wiper is engineered for complete data obliteration, leaving compromised systems beyond recovery. Unlike typical ransomware, Lotus Wiper exhibits no financial motivation, instead focusing solely on causing maximum operational disruption through permanent data destruction across entire drives.

Table Of Content

  • Key Takeaways
  • How the Infection Chain Works
  • What You Should Do

The campaign emerged into public view during a period of escalating geopolitical tensions in the Caribbean, spanning late 2025 and early 2026. Evidence linked to the attack was uploaded from a Venezuelan machine in mid-December 2025 to a publicly accessible repository. Analysis revealed the malware had been compiled months prior, in late September 2025, suggesting a prolonged and deliberate preparation phase by the threat actors.

Analysts and researchers at Securelist identified the malicious artifacts during their routine investigations into new threats. Their examination of the sample uncovered distinct indicators pointing to an energy and utilities sector organization as the intended victim. The absence of any ransom notes or payment demands within the malware’s code reinforces the assessment that this was a purely destructive operation, devoid of any financial objectives.

This attack is believed to be highly targeted and driven by geopolitical motives. Lotus Wiper systematically eliminates recovery mechanisms, overwrites physical drives with zeros, and deletes files across all accessible volumes. Its destructive capabilities place it alongside notorious threats like NotPetya (2017) and HermeticWiper (2022), which have historically inflicted severe damage on critical infrastructure.

The malware attempts to blend in with legitimate system processes by masquerading as HCL Domino application components, using filenames such as nstats.exe, nevent.exe, and ndesign.exe. This tactic strongly suggests that the attackers had already established prior access to the victim systems and had pre-staged these malicious executables, indicating earlier backdoor activity on the compromised hosts.

How the Infection Chain Works

The destructive sequence initiates with a batch script named OhSyncNow.bat. This script first establishes a working directory, typically C:lotus, and then attempts to disable the Interactive Services Detection service (UI0Detect). This Windows service, which would otherwise alert users to background activity, was removed by Microsoft from Windows 10 version 1803 onwards. Its targeted disabling implies that the attackers specifically focused on legacy systems where this service remains active.

Following this, the script checks for a remote XML flag file, OHSync.xml, located on the domain’s NETLOGON share. The presence of this file acts as a network-based trigger, signaling the commencement of execution across all machines within the domain. If the trigger file is detected, a secondary batch script, notesreg.bat, is launched. This script is designed for single execution and proceeds to enumerate local user accounts, randomize their passwords, mark them as inactive, disable cached logins, log off active sessions, and shut down all network interfaces using netsh. Crucially, it also executes diskpart clean all against every logical drive, overwriting the entire disk content with zeros.

After the batch scripts prepare the environment, the main payload, Lotus Wiper, activates. It first decrypts its own executable using XOR before running. Once active, it elevates administrative privileges, deletes all Windows System Restore points by leveraging the srclient.dll API, and then fills each disk sector with zeros using low-level IOCTL disk commands. The wiper also uses fsutil to create a file that consumes all available free space, further degrading storage capacity. Files are subsequently zeroed out using FSCTL_SET_ZERO_DATA, renamed with random hexadecimal strings, and finally deleted.

USN journal being cleared using IOCTL controls (Source - Securelist)
USN journal being cleared using IOCTL controls (Source – Securelist)

For files that are currently in use and cannot be immediately deleted, the wiper employs MoveFileExW to schedule their deletion upon the next system restart.

What You Should Do

  • Audit and Monitor Domain Shares: Regularly audit permissions and monitor file activity on domain shares, particularly the NETLOGON share, for any unauthorized changes or suspicious file placements like OHSync.xml.
  • Review Security Logs: Implement robust security log analysis to detect signs of credential abuse, token manipulation, or privilege escalation attempts that could indicate pre-compromise activity.
  • Monitor Native Tool Usage: Actively monitor for unusual or excessive usage of built-in Windows utilities such as fsutil, robocopy, and diskpart, as these are frequently abused by attackers to evade traditional security defenses.
  • Strengthen Backup and Recovery: Ensure all critical data is backed up to secure, isolated locations and regularly test data restoration procedures to confirm recoverability in the event of a destructive incident.
  • Patch and Update Systems: Prioritize patching and updating operating systems and applications, especially on legacy systems, to address vulnerabilities that could be exploited for initial access or privilege escalation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareransomwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Microsoft Warns Jasper Sleet Phishing Infiltrates Cloud Environments

Next Post

Cybercriminals Exploit French Fintech Accounts to Launder Stolen Funds

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
IBM WebSphere Flaws Let Attackers Exploit XSS, Path Traversal
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us