<!-- curated:true -->
# [HIGH] Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack

**Source:** The Hacker News
**Published:** 2026-04-22
**Article:** https://thehackernews.com/2026/04/lotus-wiper-malware-targets-venezuelan.html
**Curated:** Analyst-reviewed 2026-04-28

## Threat profile

Kaspersky uncovered a previously-undocumented data wiper — **"Lotus Wiper"** — used in late-2025/early-2026 attacks against **Venezuelan energy and utilities** organisations. Two batch scripts initiate the destructive payload sequence; the wiper is the impact stage, not the entry point.

**Wipers are not ransomware.** No ransom note, no decryption keys, no negotiation. The objective is destruction — data, business operations, public confidence. The historical pattern (NotPetya, HermeticWiper, AcidRain, IsaacWiper, CaddyWiper) is geopolitical: an actor wants the target offline and visible. Energy/utilities sector + a politically tense geography is the canonical wiper target profile.

We've upgraded severity to **HIGH** because the *capability* — not the geography — is what matters to your SOC. Wiper TTPs travel: today's Venezuelan grid attack is tomorrow's tooling against Western critical-infrastructure targets, and the precursor TTPs (batch-script chained to wiper binary) are detectable.

## Indicators of Compromise

- _Specific Lotus Wiper sample hashes and the chaining batch-script names should be in the Kaspersky write-up; pull from the Securelist post when available._
- The article calls out **two batch scripts** as the loader — hunt for unusual `.bat` / `.cmd` files with file-deletion or volume-shadow-deletion content on energy / OT-adjacent hosts.

## MITRE ATT&CK (analyst-validated)

- **T1485** — Data Destruction (the wipe itself)
- **T1490** — Inhibit System Recovery (`vssadmin delete shadows`, `wbadmin delete catalog`, `bcdedit` recovery disabling)
- **T1059.003** — Windows Command Shell (the two batch scripts)
- **T1561.002** — Disk Structure Wipe (MBR / partition table corruption is common in this class)
- **T1561.001** — Disk Content Wipe
- **T1083** — File and Directory Discovery (wiper enumerates targets first)
- **T1027** — Obfuscated Files or Information (batch-script obfuscation typical)

## Recommended SOC actions (priority-ordered)

1. **Inventory your OT-adjacent IT estate.** Engineering workstations, HMIs running on Windows, jump hosts into the OT network. These are the *IT* hosts that have visibility (and writeability) into OT.
2. **Test your offline backups.** Wipers are an availability event. If your backup strategy depends on snapshots accessible from the production AD domain, you have a wiper problem regardless of which malware family hits you.
3. **Hunt for shadow-copy / backup-deletion activity** — this is the **single most reliable wiper precursor signal** across families.
4. **Hunt for batch-script execution from temp / public paths** — Lotus Wiper specifically uses two `.bat` files; that pattern catches a wide class of chained wipers.
5. **Review out-of-band MBR / BootDisk write events** on engineering workstations.
6. **Segment OT from IT.** If your engineering AD is one trust hop from corp AD, fix that this quarter.

## Splunk SPL — shadow-copy and backup deletion (universal wiper precursor)

```spl
| tstats `summariesonly` count min(_time) AS firstTime max(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where Processes.process_name IN ("vssadmin.exe","wmic.exe","wbadmin.exe","bcdedit.exe",
                                       "diskshadow.exe","cmd.exe","powershell.exe")
      AND (Processes.process="*delete shadows*"
        OR Processes.process="*shadowcopy delete*"
        OR Processes.process="*delete catalog*"
        OR Processes.process="*recoveryenabled no*"
        OR Processes.process="*bootstatuspolicy ignoreallfailures*"
        OR Processes.process="*set {default} bootstatuspolicy*")
    by Processes.dest, Processes.user, Processes.process_name, Processes.process,
       Processes.parent_process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
```

## Splunk SPL — batch script chain from temp / public

```spl
| tstats `summariesonly` count
    from datamodel=Endpoint.Processes
    where Processes.process_name IN ("cmd.exe","powershell.exe")
      AND (Processes.process="*\\Users\\Public\\*.bat*"
        OR Processes.process="*\\AppData\\Local\\Temp\\*.bat*"
        OR Processes.process="*\\Windows\\Temp\\*.bat*"
        OR Processes.process="*\\ProgramData\\*.bat*")
      AND Processes.parent_process_name!="explorer.exe"
    by Processes.dest, Processes.user, Processes.parent_process_name,
       Processes.process_name, Processes.process
| `drop_dm_object_name(Processes)`
```

## Splunk SPL — mass file deletion on engineering hosts

```spl
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action="deleted"
      AND Filesystem.file_path IN ("*\\Documents\\*","*\\Desktop\\*","*\\Project*\\*",
                                     "*\\HMI\\*","*\\SCADA\\*")
    by Filesystem.dest, Filesystem.process_name, Filesystem.user, _time span=1h
| `drop_dm_object_name(Filesystem)`
| stats sum(count) AS deletes by dest, process_name, user, _time
| where deletes > 200
```

## Defender KQL — shadow copy / recovery disable

```kql
DeviceProcessEvents
| where Timestamp > ago(180d)
| where FileName in~ ("vssadmin.exe","wmic.exe","wbadmin.exe","bcdedit.exe","diskshadow.exe")
| where ProcessCommandLine has_any (
    "delete shadows", "shadowcopy delete", "delete catalog",
    "recoveryenabled no", "bootstatuspolicy ignoreallfailures")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## Defender KQL — chained .bat execution

```kql
DeviceProcessEvents
| where Timestamp > ago(180d)
| where InitiatingProcessFileName in~ ("cmd.exe","powershell.exe","cscript.exe","wscript.exe")
| where ProcessCommandLine has ".bat" or ProcessCommandLine has ".cmd"
| where ProcessCommandLine has_any ("\\Users\\Public\\","\\AppData\\Local\\Temp\\",
                                     "\\Windows\\Temp\\","\\ProgramData\\")
| where InitiatingProcessParentFileName != "explorer.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessCommandLine, InitiatingProcessParentFileName
| order by Timestamp desc
```

## Defender KQL — raw disk write to physical drive (MBR-class wiper indicator)

```kql
DeviceFileEvents
| where Timestamp > ago(180d)
| where FolderPath has_any ("\\Device\\Harddisk","\\\\.\\PhysicalDrive","\\\\.\\C:")
| where ActionType in ("FileCreated","FileModified")
| where InitiatingProcessFileName !in~ ("system","ntoskrnl.exe","defrag.exe","drvinst.exe")
| project Timestamp, DeviceName, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## Why this matters for your SOC

A wiper attack on a regional adversary's grid is **a public dress-rehearsal for tooling that will reach Western infrastructure within 6-18 months** — the NotPetya → global-shipping pattern. The technical hunts above don't depend on having Lotus Wiper hashes; they target the *behavioural class* (recovery destruction, batch-script chaining, mass deletion). Run them once across your OT-adjacent hosts even if your sector is finance not energy — engineering workstations, jump hosts, and contractor laptops are the same shape regardless of vertical, and the wiper class doesn't discriminate. If you find shadow-copy deletion you don't recognise, treat it as an active wiper precursor until proven otherwise.