New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention 

Staff Editor 2026-04-22
New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention 

New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention 

https://www.securityweek.com/new-wiper-malware-targeted-venezuelan-energy-sector-prior-to-us-intervention/

Publish Date: 2026-04-22 08:10:00

Source Domain: www.securityweek.com

A threat actor has used a new wiper malware in recent attacks against the energy and utilities sector, cybersecurity company Kaspersky warns.

The attack targeted an organization in Venezuela and relied on two batch scripts to weaken defenses and disrupt operations before retrieving the final payload, the Lotus Wiper.

Likely compiled in September 2025, the wiper and associated artifacts were uploaded in mid-December to a public platform.

“The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state,” Kaspersky explains.

The lack of payment instructions or an extortion method, and the malware’s upload during a period of increased malware activity targeting the energy and utility sector in Venezuela, suggest that Lotus Wiper is extremely targeted, the cybersecurity firm says.

The cybersecurity firm has not shared any information on attribution, but cited the “geopolitical tensions that occurred in the Caribbean region in late 2025 and early 2026”.

Advertisement. Scroll to continue reading.

It’s worth noting that, according to some reports, the United States’s extraction of Venezuelan President Nicolas Maduro in early January 2026 involved cyberattacks to trigger power outages and disable air defense radars.

Lotus Wiper’s execution chain starts with a batch script that attempts to stop the legacy Windows service Interactive Services Detection (UI0Detect) to prevent visible warnings that a malicious activity occurs in the background.

The malicious script appears built to run on older Windows versions that still run UI0Detect, as the service was officially removed from the OS in Windows 10 version 1803.

Additionally, the script checks for a file on a NETLOGON share, coding the victim organization’s name in a variable to build the file path. If this file and a corresponding local file…

Source

More Stories

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Accelerating cloud-powered cybersecurity learning with IBM Cyber Campus and AWS

Staff Editor 2026-06-07
DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

DentaQuest Breach: ShinyHunters Publish Data Impacting 2.6M People

Staff Editor 2026-06-07
Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy