Interactive Threat Guide

Kill Chain Breakpoint

An attacker has already lived in your environment for three months. You do not get to stop the initial intrusion. Your job is to break the Lotus Wiper attack path before operations are lost.

Placements Remaining 3
Primary Objective Stop coordinated execution before drives are wiped

Tap a control to select it, then tap a stage to place it.

Stage 1

Entry + Trigger

Domain access was established months before detonation. OhSyncNow.bat polls the NETLOGON share for OHSync.xml. A single file write coordinates simultaneous execution across all domain-joined hosts. The trigger requires no further attacker interaction.

Drop control here

Stage 2

Preparation + Isolation

notesreg.bat resets account passwords to random values and locks users out. netsh severs every network interface. diskpart, robocopy, and fsutil begin destroying and exhausting disk space. System binaries are staged in C:\lotus\ to preserve execution after core paths are damaged. Defender response time is already collapsing.

Drop control here

Stage 3

Destruction

nstats.exe decrypts and launches the wiper with full token privileges. Restore points are deleted. Every physical drive is zeroed in multiple passes. Files are renamed to random hex strings. The USN change journal is cleared before and after. Recovery options are already gone.

Drop control here
Back to Lotus Wiper Bulletin
Scroll to Top