Lotus Wiper Attack Targets Venezuelan Energy Firms, Utilities TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskCyberattacks & Data BreachesCybersecurity OperationsICS/OT SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificLotus Wiper Attack Targets Venezuelan Energy Firms, UtilitiesAn analysis of the destructive malware reveals sophisticated living-off-the-land (LotL) techniques and detailed strategies for the widespread deletion of data.Robert Lemos,Contributing WriterApril 29, 20265 Min ReadSource: JBula_62 via ShutterstockAn analysis of software artifacts from a malicious cyberattack targeting the energy and utilities sector in Venezuela late last year revealed that the attack made significant use of living-off-the-land (LOTL) techniques, lacked a ransomware component, and assiduously identified and deleted critical data.The software — found on "a publicly available resource" and uploaded in December 2025 — used two batch scripts to coordinate the attack throughout the target's network, undermine system defenses, and hobble incident response. That was all a prelude to the final step: executing a previously unknown wiper program, dubbed Lotus Wiper, according to an analysis published by cybersecurity firm Kaspersky Lab last week. The samples were originally compiled in late September 2025, and the company has not found any additional samples as part of other attacks.Lotus Wiper is effective at destroying system data and disrupting operations, the company stated.Related:Claude Mythos Fears Startle Japan's Financial Services Sector"The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state," the cybersecurity firm's researchers stated in their analysis.The Lotus Wiper attack is the latest destructive malware — with Venezuelan energy companies and utilities the latest targets — of data-wiping cyberattacks linked to real-world conflicts between nations. In 2012, Saudi Arabia's state-owned oil-and-gas giant Saudi Aramco had 30,000 systems locked by the Shamoon data-wiping malware — an act attributed to Iran. The 2017 NotPetya attacks started in a Ukrainian provider of accounting software before spreading worldwide. Both Russia and Ukraine appear to have traded wiper-based cyberattacks following Russia's original seizure of Crimea in 2014 and its ongoing invasion of Ukraine, which started in 2022.Earlier this year, researchers attributed a wiper attack against Poland's power grid in late December to the Russian Sandworm group. That's two different wiper attacks against critical infrastructure in the same months, says Collin Hogue-Spears, senior director of solution management at Black Duck, an application-security firm."Different actors, different regions, same intent," he says.A US Cyberattack?Kaspersky Lab did not attribute the Lotus Wiper attack to any actor nor identify the victim, and the company declined further comment on its research or the source of the attack.However, the timing of the Lotus Wiper matches a cyberattack on Petróleos de Venezuela SA (PDVSA), the state-run oil-and-gas firm that suffered disruption in December following an alleged ransomware attack on Dec. 13. The company blamed the US for the attack and claimed that its operations were not affected, but independent reporting detailed that the loading of petroleum on to tankers had stalled.Related:Cyberattacks Intensify Pressure on Latin American Governments"This act of aggression adds to the public strategy of the US government to seize Venezuelan oil by force and piracy," the company stated in a Dec. 15 communique (translated via Anthropic's Claude). "The working class of the hydrocarbon industry has faced attacks of this nature in the past. It was precisely their commitment, expertise, and loyalty that made it possible to detect and neutralize this new attack."The company's domain, pdvsa.com, was part of the payload of the files, designating it as the targeted organization, adds Black Duck's Hogue-Spears.It's unsurprising that wiper attacks have become a go-to cyber weapon for a variety of nation-state conflicts, because the destructive attacks are an easy way to turn initial access into physical consequences, says Jimmy Wylie, a distinguished malware analyst at Dragos, an industrial and OT cybersecurity firm."The Venezuelan attack is a continuation of a larger trend of threat groups relying on cheap but effective techniques," he says. "Wiper malware simply gets [the] job done with minimal development time."Related:Middle East Conflict Highlights Cloud Resilience GapsOn the other hand, the actors in the Lotus Wiper attack showed significant patience to map out their target's infrastructure and networks, a problem for poorly funded security teams, such as those in critical infrastructure, says Jacob Krell, senior director of secure AI solutions at Suzu Labs, a cybersecurity services firm."Many critical energy and utilities organizations remain ill-prepared for the capabilities of a well-resourced nation-state actor," he says. "Lotus Wiper operators dwelled in the environment for months, staging binaries and preparing the terrain before executing the destructive phase. That dwell time reveals the gap."Utility Security Starts With SegmentationWhile every company is different, critical infrastructure and industrial firms need to secure remote access, ensure they have visibility into anomalies on the network, and be ready to respond quickly in the case of an incident, says Dragos's Wylie."If the attacker is maliciously executing standard windows utilities to wipe systems, it's already too late to think about detection," he says. "So, you've got to stop them earlier in the attack chain."Critical infrastructure security needs to prioritize a few basic protections to prevent operational damage from cyberattacks. Segmenting the operational technology (OT) networks from enterprise IT systems prevents a breach from affecting industrial control systems (ICS) and OT networks, says Suzu Labs' Krell. Finally, immutable backups stored beyond the reach of an attacker is critical, he says."The world has entered the age of digital warfare, and these operations demonstrate that cyber effects can deliver strategic impact without traditional military escalation," he says. "This means cyber resilience planning must incorporate the geopolitical angle as a core risk factor. Organizations can no longer treat cyber threats as purely technical and they must assess exposure to nation-state playbooks."Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!Read more about:DR Global Latin AmericaAbout the AuthorRobert LemosContributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert LemosWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The Lotus Wiper attack, detailed by Kaspersky Lab, represents a significant escalation in destructive cyber operations targeting critical infrastructure, specifically within the Venezuelan energy and utilities sectors. This attack leverages living-off-the-land (LOTL) techniques, meaning it utilizes existing, legitimate system tools and scripts to achieve malicious objectives, significantly complicating detection and remediation efforts. Crucially, the malware, dubbed Lotus Wiper, doesn’t rely on traditional ransomware demands; instead, it systematically deletes data and disrupts operations through a process of removing recovery mechanisms, overwriting disk content, and meticulously deleting files across volumes, rendering affected systems unrecoverable. Robert Lemos highlights the attack’s sophisticated staging, indicating a prolonged period of reconnaissance and preparation by the attackers, suggesting a state-sponsored operation likely motivated by geopolitical tensions. The attack echoes earlier incidents involving Saudi Aramco and NotPetya, indicating a pattern of nation-state actors employing wiper malware as a tool for strategic disruption and coercion. Kaspersky Lab’s cautious approach regarding attribution underscores the complex and often opaque nature of cyber warfare, where identifying perpetrators is frequently challenging. Several analysts, including Collin Hogue-Spears at Black Duck, point to the trend of “different actors, different regions, same intent,” reflecting a broader pattern of destructive cyber activity driven by geopolitical objectives. The timing of the attack, coinciding with an alleged ransomware attack on PDVSA, further suggests a coordinated effort to destabilize the Venezuelan economy and exert pressure. The attack’s reliance on readily available resources and the absence of a traditional ransom demand demonstrate a shift in tactics among cybercriminals, prioritizing disruption and strategic damage over financial gain. Ultimately, the Lotus Wiper attack serves as a stark reminder of the growing threat to critical infrastructure worldwide, highlighting the potential for nation-states to leverage cyberattacks as a means of exerting influence and achieving strategic goals.