• Home
  • cyber
  • Petróleos de Venezuela: Hackers Use Lotus Wiper To Destroy Drives In Energy Sector Cyberattack
cyber Cyber Attack

Petróleos de Venezuela: Hackers Use Lotus Wiper To Destroy Drives In Energy Sector Cyberattack

Dec 15, 2025 2 min read
Petróleos de Venezuela: Hackers Use Lotus Wiper To Destroy Drives In Energy Sector Cyberattack

Lotus Wiper: Destructive Malware Targets Venezuela’s Energy Sector in Coordinated Attack

Kaspersky researchers have identified a new, highly destructive malware campaign targeting Venezuela’s energy and utilities sector. The attack, uncovered in mid-December 2025, deploys Lotus Wiper, a previously undocumented wiper that permanently erases data across physical drives with no possibility of recovery.

Unlike ransomware, this malware has no extortion component its sole purpose is annihilation. The campaign was discovered during a period of heightened geopolitical tensions in the Caribbean, coinciding with a disabling cyberattack on Venezuela’s state-owned oil company, Petróleos de Venezuela (PDVSA). However, no confirmed link between the two incidents has been established.

The attack appears to have been in development for months, with the wiper compiled in late September 2025. It begins with two batch scripts OhSyncNow.bat and notesreg.bat which orchestrate the assault. OhSyncNow.bat disables Windows’ Interactive Services Detection to suppress warnings and checks for a remote XML flag file (OHSync.xml) on the organization’s NETLOGON domain share, acting as a trigger for compromised machines.

Once activated, notesreg.bat takes over, resetting local user passwords, disabling cached logins, and forcibly logging off all active sessions. The final payload, Lotus Wiper, then executes a multi-phase destruction sequence:

  • System Recovery Erasure: Deletes all Windows System Restore points by manipulating srclient.dll.
  • Physical Drive Wiping: Overwrites every sector of all connected drives with zeroes, executed twice for thoroughness.
  • Volume Destruction: Enumerates mounted volumes, clears USN change journals, and deletes files by overwriting them with zeroes, renaming them to random strings, and queuing locked files for deletion on reboot.

The result is a system left completely unrecoverable, with no surviving data, partitions, or recovery options. The attack’s sophistication and deliberate targeting of critical infrastructure suggest a calculated effort to disrupt Venezuela’s energy sector.

Source: https://cyberpress.org/lotus-wiper-hits-energy/

PDVSA Petróleos de Venezuela S.A. cybersecurity rating report: https://www.rankiteo.com/company/petroleosdevenezuela

"id": "PET1776853705",
"linkid": "petroleosdevenezuela",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"
{'affected_entities': [{'industry': 'Energy/Oil',
                        'location': 'Venezuela',
                        'name': 'Petróleos de Venezuela (PDVSA)',
                        'type': 'State-owned oil company'}],
 'attack_vector': 'Batch scripts (*OhSyncNow.bat* and *notesreg.bat*) '
                  'triggering remote XML flag file (*OHSync.xml*) on NETLOGON '
                  'domain share',
 'data_breach': {'data_encryption': 'No (data was overwritten with zeroes)',
                 'data_exfiltration': 'No (data was erased, not exfiltrated)',
                 'sensitivity_of_data': 'High (critical infrastructure data)',
                 'type_of_data_compromised': 'All data on affected systems'},
 'date_detected': '2025-12-15',
 'description': 'Kaspersky researchers have identified a new, highly '
                'destructive malware campaign targeting Venezuela’s energy and '
                'utilities sector. The attack, uncovered in mid-December 2025, '
                'deploys *Lotus Wiper*, a previously undocumented wiper that '
                'permanently erases data across physical drives with no '
                'possibility of recovery. Unlike ransomware, this malware has '
                'no extortion component; its sole purpose is annihilation.',
 'impact': {'data_compromised': 'Permanent data erasure across all connected '
                                'drives',
            'operational_impact': 'Complete system unrecoverability, '
                                  'disruption of energy sector operations',
            'systems_affected': 'Energy and utilities sector systems in '
                                'Venezuela'},
 'investigation_status': 'Ongoing',
 'motivation': 'Disruption of critical infrastructure, geopolitical tensions',
 'post_incident_analysis': {'root_causes': 'Sophisticated wiper malware '
                                           '(*Lotus Wiper*) targeting critical '
                                           'infrastructure'},
 'ransomware': {'data_encryption': 'No (data was wiped, not encrypted)',
                'data_exfiltration': 'No'},
 'references': [{'source': 'Kaspersky Research'}],
 'title': 'Lotus Wiper: Destructive Malware Targets Venezuela’s Energy Sector '
          'in Coordinated Attack',
 'type': 'Wiper Malware Attack'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.