Lotus wiper strike

A newly disclosed cyberattack used a destructive program called Lotus Wiper to hit Venezuela’s energy and utilities sector, wiping systems instead of stealing data. (securelist.com) Kaspersky said the campaign targeted a Venezuelan organization during late 2025 and early 2026, with attack files uploaded to a public resource in mid-December. SecurityWeek and BleepingComputer reported the malware was likely compiled in September 2025. (securelist.com) (securityweek.com) (bleepingcomputer.com) A wiper is malware built to destroy files and disks, the digital equivalent of smashing machinery after breaking into a plant. In this case, researchers said two Windows batch scripts first weakened defenses, mapped network shares, and prepared the environment before the final payload ran. (securelist.com) (thehackernews.com) The attack mattered beyond office computers because utilities run industrial control and operational technology systems that keep power and other physical processes moving. Dragos said in its 2025 industrial cybersecurity review that wiper malware hitting information-technology networks can still cause severe downstream effects on industrial operations. (dragos.com) (securityweek.com) The disclosure lands as Venezuela’s grid remains brittle after years of outages and rationing. In March 2026, El País reported daily power cuts of up to eight hours in western states including Zulia, Falcón, Lara, Trujillo, Mérida and Táchira. (english.elpais.com) Researchers have not publicly attributed Lotus Wiper to a named state or criminal group. Kaspersky said the code and artifacts suggest a targeted sabotage operation tied to geopolitical tensions in the Caribbean in late 2025 and early 2026. (securelist.com) (securityweek.com) The report also surfaced during a busy month for infrastructure-focused threat activity. CISA added Apache ActiveMQ flaw CVE-2026-34197 to its Known Exploited Vulnerabilities catalog on April 16, 2026, after reports of active exploitation against exposed management endpoints. (thehackernews.com) (securityweek.com) Kaspersky separately describes Lazarus, the North Korea-linked hacking group, as an actor tied to cyberespionage, sabotage, ransomware and financial attacks. That does not amount to a public Lazarus attribution for Lotus Wiper, but it places the Venezuela incident inside a wider stream of destructive and infrastructure-centered intrusions now being tracked by researchers. (securelist.com 1) (securelist.com 2) For utilities, the immediate lesson is simple: the most dangerous malware is not always ransomware demanding payment. Lotus was built to leave systems unusable, and in a power sector already dealing with repeated blackouts, that kind of damage can spill from screens into substations and service outages. (bleepingcomputer.com) (english.elpais.com)