It’s worth noting that, according to some reports, the United States’s extraction of Venezuelan President Nicolas Maduro in early January 2026involved cyberattacksto trigger power outages and disable air defense radars.Lotus Wiper’s execution chain starts with a batch script that attempts to stop the legacy Windows service Interactive Services Detection (UI0Detect) to prevent visible warnings that a malicious activity occurs in the background.The malicious script appears built to run on older Windows versions that still run UI0Detect, as the service was officially removed from the OS in Windows 10 version 1803.Additionally, the script checks for a file on a NETLOGON share, coding the victim organization’s name in a variable to build the file path. If this file and a corresponding local file exist, it executes a second batch script. It exits if the remote file does not exist, but continues with the next stage even if the local file is missing.“This logic functions as a network-based trigger, where the presence of the remote XML file acts as a control signal to initiate execution across systems in the domain. This approach is consistent with classic backdoor trigger mechanisms that rely on externally accessible resources to control malware behavior,” Kaspersky explains.The second script checks for another file to determine if it has already run. If the file does not exist, it enumerates local user accounts, changes their passwords, disables cached logins, logs off active sessions, and disables network interfaces to prevent device access.It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
Lotus Wiper’s execution chain starts with a batch script that attempts to stop the legacy Windows service Interactive Services Detection (UI0Detect) to prevent visible warnings that a malicious activity occurs in the background.The malicious script appears built to run on older Windows versions that still run UI0Detect, as the service was officially removed from the OS in Windows 10 version 1803.Additionally, the script checks for a file on a NETLOGON share, coding the victim organization’s name in a variable to build the file path. If this file and a corresponding local file exist, it executes a second batch script. It exits if the remote file does not exist, but continues with the next stage even if the local file is missing.“This logic functions as a network-based trigger, where the presence of the remote XML file acts as a control signal to initiate execution across systems in the domain. This approach is consistent with classic backdoor trigger mechanisms that rely on externally accessible resources to control malware behavior,” Kaspersky explains.The second script checks for another file to determine if it has already run. If the file does not exist, it enumerates local user accounts, changes their passwords, disables cached logins, logs off active sessions, and disables network interfaces to prevent device access.It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
The malicious script appears built to run on older Windows versions that still run UI0Detect, as the service was officially removed from the OS in Windows 10 version 1803.Additionally, the script checks for a file on a NETLOGON share, coding the victim organization’s name in a variable to build the file path. If this file and a corresponding local file exist, it executes a second batch script. It exits if the remote file does not exist, but continues with the next stage even if the local file is missing.“This logic functions as a network-based trigger, where the presence of the remote XML file acts as a control signal to initiate execution across systems in the domain. This approach is consistent with classic backdoor trigger mechanisms that rely on externally accessible resources to control malware behavior,” Kaspersky explains.The second script checks for another file to determine if it has already run. If the file does not exist, it enumerates local user accounts, changes their passwords, disables cached logins, logs off active sessions, and disables network interfaces to prevent device access.It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
Additionally, the script checks for a file on a NETLOGON share, coding the victim organization’s name in a variable to build the file path. If this file and a corresponding local file exist, it executes a second batch script. It exits if the remote file does not exist, but continues with the next stage even if the local file is missing.“This logic functions as a network-based trigger, where the presence of the remote XML file acts as a control signal to initiate execution across systems in the domain. This approach is consistent with classic backdoor trigger mechanisms that rely on externally accessible resources to control malware behavior,” Kaspersky explains.The second script checks for another file to determine if it has already run. If the file does not exist, it enumerates local user accounts, changes their passwords, disables cached logins, logs off active sessions, and disables network interfaces to prevent device access.It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
“This logic functions as a network-based trigger, where the presence of the remote XML file acts as a control signal to initiate execution across systems in the domain. This approach is consistent with classic backdoor trigger mechanisms that rely on externally accessible resources to control malware behavior,” Kaspersky explains.The second script checks for another file to determine if it has already run. If the file does not exist, it enumerates local user accounts, changes their passwords, disables cached logins, logs off active sessions, and disables network interfaces to prevent device access.It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
The second script checks for another file to determine if it has already run. If the file does not exist, it enumerates local user accounts, changes their passwords, disables cached logins, logs off active sessions, and disables network interfaces to prevent device access.It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
It also enumerates logical drives, wipes their contents, copies Windows binaries to a working directory, mirrors folders to overwrite existing contents or delete them, and calculates the available free space to fill it with a large file, exhausting storage capacity.It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
It then runs an executable, leading to Lotus Wiper’s retrieval and execution. The attacker, Kaspersky says, likely had prior access to the compromised system, as the binary was staged before the attack.The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
The wiper “enables all privileges in its current token to access administrative functions (relying on pre-existing elevated rights), deletes restore points, and wipes every physical drive by writing all zeroes to its sectors. It then clears the update sequence numbers (USN) of the volumes’ journals and, finally, scans all the volumes looking for files to delete,” Kaspersky says.Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
Related:ZionSiphon Malware Targets ICS in Water FacilitiesRelated:Anubis Ransomware Packs a Wiper to Permanently Delete FilesRelated:ESET Distributor’s Systems Abused to Deliver Wiper MalwareRelated:New Reports Reinforce Cyberattack’s Role in Maduro Capture Blackout
Source: SecurityWeek
