Cyber Threat Bulletin
Severity: Critical Destructive Wiper Malware TLP: White

Lotus Wiper

Long-Dwell Destructive Wiper Deployed Against Venezuelan Energy Sector Infrastructure

First Compiled:September 2025 Trigger:NETLOGON OHSync.xml Target:OT-Adjacent Windows
Severity Critical
Threat Type Destructive Wiper Malware
Primary Delivery Long-term pre-positioning with domain-wide detonation
Target Environment Energy, utilities, and OT-adjacent Windows infrastructure
Trigger Mechanism Single OHSync.xml write to domain NETLOGON share
Impact Objective Permanent disk destruction, operator lockout, and unrecoverable system wipe at scale
First Compilation Late September 2025
Attribution Unattributed; campaign profile consistent with state-sponsored offensive cyber activity
3 Months Pre-positioned before detonation
1 File Triggered network-wide destruction
0 Recovery paths remaining
90 Days Required detection lookback
10 Pre-detonation detection rules
Section 01

Executive Summary

Lotus Wiper is a previously undocumented destructive wiper used in a targeted campaign against energy and utilities organizations in Venezuela in late 2025 and early 2026. Unlike ransomware, it carries no extortion path and no recovery bargain. Its purpose is destruction. It overwrites drive contents with zeroes, destroys recovery mechanisms, erases file records, and leaves affected systems unbootable and unrecoverable.

What makes this campaign strategically significant is not just the payload. It is the preparation. Lotus Wiper was compiled in late September 2025 and staged months in advance on domain-joined hosts. The attack chain was designed so that a single control file placed in NETLOGON could trigger simultaneous destructive execution across the victim environment, compressing defender response time to almost nothing.

The implications extend far beyond Venezuela. Lotus Wiper was built for the exact Windows environments many industrial organizations still depend on: engineering workstations, SCADA servers, data historians, and HMI systems running legacy operating systems for operational continuity reasons. It does not need to touch a PLC to create operational impact. It destroys the Windows layer that OT operations rely on.

Critical Finding

Lotus Wiper carries no extortion path and no recovery bargain. By the time the final payload executes, restore points are gone, credentials are locked, interfaces are severed, and disks are being zeroed across multiple hosts simultaneously. Defender response time has already collapsed.

Section 02

Key Findings

  • Lotus Wiper appears purpose built for a single campaign and a single victim environment, with no prior or subsequent public deployments.
  • The operation required months of prior domain access and detailed knowledge of the target's internal environment, including internal account naming conventions.
  • The malware chain was explicitly designed for legacy Windows systems common in OT-adjacent environments, including Windows 7, Server 2008, and Server 2012.
  • The trigger mechanism allowed simultaneous network-wide execution through a single file placed in the NETLOGON share, collapsing defender response time to near zero.
  • Lotus Wiper destroys restore points, zeroes physical drives, erases file system artifacts, disables network interfaces, and locks out accounts before the final payload phase.
  • No attribution is established in open reporting, but the campaign profile is consistent with state-sponsored offensive cyber activity timed to a strategic objective.
Section 03

Detailed Threat Analysis

Lotus Wiper is not opportunistic malware. It is a long-dwell, environment-aware, destructive capability designed for coordinated impact. The staging model confirms that attackers had sustained access to the target environment well before detonation. Batch scripts hardcoded the victim organization's name, executables were pre-positioned on domain-joined hosts, and the execution architecture depended on domain-wide coordination. That is not smash-and-grab intrusion behavior. It is operational preparation.

The campaign unfolded against a period of intensified hostile activity in Venezuela's energy sector. The bulletin notes a separate December 2025 cyberattack against PDVSA and the January 2026 U.S. operation in Venezuela that included publicly acknowledged cyber effects and widespread power disruption in Caracas. No open source reporting establishes attribution for Lotus Wiper, but the timing, tooling profile, and absence of financial motive make the geopolitical context analytically significant.

Technically, the malware is notable for how little it relies on exotic code during the preparation phase. It uses native Windows tooling, manipulates legacy services, disables accounts, severs connectivity, fills available disk space, stages copied system binaries in a working directory, and then decrypts and launches the actual wiper. The result is a destruction model that blends in early, then detonates fast.

The most important defensive takeaway is that Lotus Wiper achieves OT impact without ICS-specific manipulation. It never needs to speak an industrial protocol. By destroying engineering workstations, SCADA servers, historians, and HMI-supporting Windows systems, it can still cause loss of control, loss of view, and prolonged operational disruption. That makes this campaign highly relevant to energy, utilities, water, and manufacturing operators worldwide.

Attribution Context

No open source reporting attributes Lotus Wiper to a specific group or nation-state. The campaign timing coincides with the December 2025 PDVSA cyberattack and January 2026 power disruptions in Caracas following acknowledged U.S. offensive cyber operations in Venezuela. The tooling profile, strategic timing, and absence of financial motive are consistent with state-sponsored activity, but Lotus Wiper should be treated as an unattributed destructive capability regardless of final attribution.

Section 04

Attack Chain Overview

Execution Model

Lotus Wiper executes in three major phases: network-wide orchestration, environmental isolation and preparation, and final destructive payload execution. The chain is disciplined, deliberate, and optimized for simultaneous detonation across a compromised domain. A single file write in NETLOGON begins the cascade.

1

Long-Dwell Pre-Positioning

Months of sustained domain access precede detonation. Compiled in September 2025. Batch scripts hardcode the victim organization's name. Executables staged on domain-joined hosts well in advance of the destructive trigger.

2

NETLOGON Trigger Coordination

OhSyncNow.bat polls the NETLOGON share for OHSync.xml. A single file write activates destructive execution across all domain-joined hosts near-simultaneously. UI0Detect service is queried, confirming deliberate targeting of legacy Windows environments.

3

Credential Destruction

notesreg.bat resets local account passwords to random values and deactivates accounts using internal naming convention knowledge. Cached credentials disabled via CachedLogonsCount=0. Active sessions terminated before isolation begins.

4

Network Isolation

netsh disables all network interfaces in rapid succession, severing host connectivity before the destructive payload executes. Hosts are cut off from both incident response and any recovery resources.

5

Disk Preparation and Staging

diskpart clean all wipes logical volumes. robocopy /MIR recursively destroys directory contents. fsutil file createnew exhausts remaining disk space. Windows system binaries copied to C:\lotus\ to preserve execution continuity after core paths are damaged.

6

Payload Decryption

nstats.exe decrypts the wiper from an at-rest encrypted form and writes the runnable executable. nevent.exe and ndesign.exe, named to resemble HCL Domino components, support execution handoff with elevated privileges.

7

Final Destructive Wipe

All token privileges elevated. Restore points deleted. Every physical drive zeroed in multiple cycles. File contents overwritten at volume level. Files renamed to random hex strings. Locked files queued for reboot deletion. USN change journal cleared before and after to suppress forensic visibility.

Why This Matters for OT

Lotus Wiper was designed for the Windows layer many OT environments still depend on: Windows 7, Windows Server 2008, Windows Server 2012, and pre-1803 Windows 10 systems commonly found in SCADA, historian, HMI, and engineering workstation roles. It does not need to issue process commands to cause operational harm. Destroying the supporting Windows infrastructure is enough to cause loss of control, loss of view, and prolonged operational disruption without ever touching a PLC.

Section 05

MITRE ATT&CK Mapping

Framework Note

ICS techniques are derived from MITRE ATT&CK for ICS. Lotus Wiper achieves OT impact through IT-layer destruction rather than ICS protocol interaction, making both frameworks relevant for defenders operating in mixed IT-OT environments.

MITRE ATT&CK for ICS
T0879 Damage to Property — Physical operational impact through permanent destruction of OT-supporting Windows infrastructure including HMI, historian, SCADA, and engineering workstations.
T0881 Service Stop — UI0Detect service manipulation and systematic disabling of Windows services on OT-adjacent systems during the preparation phase.
T0816 Device Restart/Shutdown — Affected systems are left permanently unbootable following multi-cycle disk zeroing, achieving persistent shutdown with no viable recovery path.
MITRE ATT&CK Enterprise
T1485 Data Destruction — Multi-cycle disk zeroing, volume-level file content overwrite, hexadecimal file renaming, and USN journal clearing to maximize irreversibility.
T1490 Inhibit System Recovery — All restore points deleted and VSS snapshots destroyed before the wipe phase. Simultaneous multi-host detonation bypasses any reliance on online backup availability.
T1531 Account Access Removal — Bulk account password resets to random values, deactivation, and cached credential removal executed before the destructive payload fires.
T1021.002 SMB/Windows Admin Shares — Domain NETLOGON share used as the coordinated trigger mechanism for simultaneous execution via OHSync.xml file write.
T1562.001 Disable or Modify Tools — All network interfaces systematically disabled via netsh, severing host connectivity before final wipe execution begins.
T1059.003 Windows Command Shell — All preparation and coordination stages driven through batch scripts (OhSyncNow.bat, notesreg.bat) executing native Windows tooling at domain scale.
Section 06

Indicators of Compromise

Analyst Note

Public atomic IOC coverage is intentionally narrow because Lotus Wiper appears to be a bespoke, single-deployment operation. Defenders should prioritize behavioral detections over broad hash matching. The pre-detonation behavioral signals are the most valuable detection window available, and a 90-day historical lookback is recommended given the campaign's staging timeline.

File Hashes (MD5)
0b83ce69d16f5ecd00f4642deb3c5895
c6d0f67db6a7dbf1f9394d98c1e13670
b41d0cd22d5b3e3bdb795f81421a11cb
Specific file-to-hash assignments not disclosed in public reporting.
File and Artifact Indicators
OhSyncNow.bat
notesreg.bat
nstats.exe
nevent.exe
ndesign.exe
OHSync.xml (NETLOGON trigger file)
C:\lotus\
%SystemDrive%\lotus\
HKLM\...\Winlogon\CachedLogonsCount = 0
Behavioral Indicators
New file creation in NETLOGON share by non-admin account
diskpart.exe executing with clean all argument
netsh.exe disabling all interfaces in rapid succession
sc.exe querying or modifying UI0Detect
High-volume account password resets followed by deactivation
robocopy.exe /MIR against system root directories
fsutil.exe file createnew sized to available free space
Windows system binaries copied into C:\lotus\
srclient.dll loaded by a non-system process
nstats.exe, nevent.exe, or ndesign.exe executing from non-Domino paths
Section 07

Detection Analysis

Lotus Wiper is highly destructive, but it is detectable if organizations are watching the right control points early enough. The most critical detections target the coordination and preparation phase, before detonation begins. By the time the final wipe payload is actively zeroing disks, recovery options have already collapsed. A minimum 90-day historical lookback is recommended given this campaign's months-long staging window. Bulk execution of diskpart, robocopy, fsutil, and netsh at production scale has almost no legitimate operational equivalent and should be treated as a high-confidence signal cluster.

Standard SIEM-Compatible Detections

  1. NETLOGON Share File Creation by Non-Admin
  2. Diskpart Clean All Execution
  3. Bulk User Account Lockout via Net User
  4. UI0Detect Service Query or Modification
  5. All Network Interfaces Disabled via Netsh
  6. System Binaries Written to Non-Standard Directory
  7. Robocopy Mirror Mode Against System Directories
  8. Fsutil Large File Creation Filling Disk
  9. srclient.dll Loaded by Non-System Process
  10. HCL Domino Component Names in Non-Domino Paths

OT-Platform Required Detections

  • NETLOGON Share Access from OT Network Segment
  • Legacy Windows Service Manipulation on OT Asset
Detection Strategy

The most effective posture is a cross-domain correlation model covering domain share activity, legacy Windows service manipulation, batch-driven destructive tooling, account access destruction, and OT network segment exposure to enterprise control points. These OT-specific rules are especially important in mixed IT-OT environments where OT-adjacent Windows systems remain domain-joined and have access paths into enterprise services. Lotus Wiper's architecture exploits exactly that condition.

Section 08

Prevention and Mitigation

Lotus Wiper's architecture depends on a few critical control failures: write access to NETLOGON, domain-level pre-positioning, reliance on restorable but online backups, and unsegmented legacy Windows systems. Those are all addressable. The controls below directly target the attack chain's most critical dependencies.

Immediate Actions
📁

Restrict NETLOGON Write Access

  • The campaign trigger depends on placing OHSync.xml in the NETLOGON share
  • Restrict write access to a tightly controlled administrator baseline immediately
  • Alert on any new file creation in NETLOGON from non-baseline accounts
💾

Implement Offline Immutable Backups

  • Lotus Wiper destroys restore points, wipes disks, and defeats standard recovery paths
  • Require offline or air-gapped backups for all critical OT-adjacent systems
  • Test backup integrity against full disk wipe scenarios, not just file-level recovery
📋

Inventory Legacy Windows Systems

  • Identify Windows 7, Server 2008, Server 2012, and pre-1803 Windows 10 in your environment
  • Where upgrade is not feasible, apply segmentation and application allowlisting
  • Apply enhanced monitoring on all legacy OT-adjacent Windows assets
Architectural Controls
🔍

Monitor Living-Off-the-Land Patterns

  • Bulk execution of diskpart, robocopy, fsutil, and netsh at production scale has almost no legitimate operational equivalent
  • These are high-confidence signals and should be monitored aggressively across all endpoints
  • Implement process execution monitoring on all OT-adjacent workstations
🔑

Enforce Privileged Access Controls

  • This campaign required domain administrator capability and knowledge of internal account structure
  • Implement Privileged Access Workstations and time-bounded administrative rights
  • Monitor and alert on bulk account modification events across the domain
🗄

Isolate OT from Domain Services

  • Lotus Wiper exploits OT-adjacent systems that remain domain-joined with access to enterprise share paths
  • Evaluate whether OT workstations require domain membership or can operate in isolation
  • Restrict NETLOGON and Group Policy paths from reaching OT network segments
Section 09

Reporting and Resources

If Lotus Wiper Artifacts Are Identified

Treat the situation as an active domain compromise, not an isolated malware event. Pre-detonation artifacts such as OHSync.xml in NETLOGON or the C:\lotus\ directory may still provide an opportunity to interrupt the kill chain. Preserve volatile memory before remediation. Treat the entire domain as compromised. Rotate privileged credentials before recovery begins. Do not rely on restore points or VSS snapshots. Verify OT system integrity before restoring any process operations.

🏛

CISA

  • 24/7: (888) 282-0870
  • central@cisa.dhs.gov
  • cisa.gov/report
🔎

FBI IC3

  • ic3.gov
  • Submit incident reports online

E-ISAC

  • eisac.com
  • 202-383-8000
  • Energy sector incident reporting
💧

WaterISAC

  • H2OIAC.org
  • analyst@waterisac.org
  • (866) H2O-ISAC
📧

PhishCloud CFC

  • info@phishcloud.com
  • IOC queries and detection support
  • Report indicators to update bulletin

Lotus Wiper proves that OT impact does not require ICS malware. Long-dwell pre-positioning, domain-wide execution, native Windows tooling, and simultaneous destructive detonation are enough to take down the systems operators depend on for visibility, coordination, and control. The real defensive lesson is not just what the malware did. It is how long the attackers had to prepare before anyone saw it.

Interactive Threat Intelligence Experience

Walk the Lotus Wiper Attack Path

See how months of silent preparation become simultaneous domain-wide destruction, phase by phase, with detection implications at every step.

Launch Interactive Guide →
Scroll to Top