From Sabotage to Silence: The Lotus Wiper’s Final Act of Disk-Level Annihilation + Video

Listen to this Post

Introduction:
Discovered by Kaspersky’s Securelist team in late 2025, Lotus Wiper is not your average malware. It is a purpose-built, destructive tool deployed as a final-stage payload in a multi-phase intrusion, designed not for financial gain but for pure, irreversible operational disruption. Unlike ransomware, which holds data for ransom, Lotus Wiper focuses on low-level disk overwriting and systematic file deletion to ensure that system recovery is a physical impossibility, effectively turning critical infrastructure into digital graveyards.

Learning Objectives:

  • Understand the tactical execution chain of Lotus Wiper, from initial batch script to IOCTL-based physical disk destruction.
  • Identify key indicators of compromise (IoCs), including abnormal `NETLOGON` activity, mass user account modifications, and signs of Volume Shadow Copy (VSS) and USN journal clearing.
  • Implement proactive detection, containment, and forensic collection strategies to mitigate the impact of wiper-class malware before the destructive payload is triggered.

You Should Know:

  1. Decoding the Attack Chain: From Batch Trigger to Physical Disk Wipe

The Lotus Wiper attack doesn’t just appear out of thin air. It relies on a multi-stage process that begins weeks or months before the final payload detonates. The execution begins with a batch script named OhSyncNow.bat. This script performs several critical pre-execution tasks. First, it tries to disable the legacy Windows Interactive Services Detection (UI0Detect) service to suppress any visible warnings. It then checks for a `NETLOGON` share and looks for a remote trigger file named OHSync.xml. If this file exists, the script proceeds to run the second-stage script, notesreg.bat.

Once `notesreg.bat` is executed, the real system sabotage begins. The script enumerates all local user accounts, disables cached logins, and logs off active sessions. It then runs system-native commands to cause chaos: `diskpart clean all` overwrites entire partitions with zeros, `robocopy` is used to mirror folders and overwrite existing contents, and `fsutil` creates a massive file that fills all remaining free space, making any potential file recovery incredibly difficult.

After this initial layer of destruction, the true wiper payload is decrypted and launched. Lotus Wiper elevates its privileges and then interacts with disks at the lowest possible level. It uses `FindFirstVolumeW` and `FindNextVolumeW` to locate each mounted volume and then spawns new threads to clear the USN (Update Sequence Number) journal, which is the primary file system change log on Windows.

Step‑by‑Step Guide to Analyzing Similar Scripts:

  1. Static Analysis: Run `strings` on any suspicious `.bat` files or executables. Look for keywords like diskpart, fsutil, robo, VSS, cipher, and NETLOGON.
  2. Command Line Logging: Enable command-line auditing via Group Policy.
  3. Simulation (Safe Environment): Execute suspicious scripts in a sandbox to observe behavior.
  4. Process Tree Analysis: In an EDR or Sysmon (Event ID 1), look for a process tree where `cmd.exe` spawns `diskpart.exe` or `fsutil.exe` without a legitimate parent process.
  5. Timeline Correlation: Correlate script execution with sudden VSS deletion events.

  6. The Havoc on Windows: Abusing Native Tools for Irreversible Damage

Lotus Wiper is a masterclass in “living off the land” (LotL). It avoids dropping complex, signature-heavy binaries in the early stages, instead weaponizing the very tools administrators use for maintenance. The following commands, when observed in rapid succession outside of a maintenance window, are a key sign of a wiper attack.

Common Windows Commands Abused by Lotus Wiper:

  • Partition and Volume Wiping:
    diskpart
    list disk
    select disk X
    clean all
    

    The `clean all` command performs a full overwrite of every sector on the selected disk with zeros, making data recovery nearly impossible.

  • File and Directory Overwrite:

    robocopy C:\empty_dir D:\target_dir /MIR
    

    This mirrors an empty directory over a target, effectively deleting all contents without leaving typical traces.

  • Filling Disk Space to Prevent Recovery:

    fsutil file createnew C:\fill.tmp 1000000000000
    for /L %i in (1,1,9999) do fsutil file createnew C:\fill_%i.tmp 10000000
    

    This creates massive files that consume all free space, further hindering forensic data carving.

  • Deleting Volume Shadow Copies (VSS):

    vssadmin delete shadows /all /quiet
    wmic shadowcopy delete
    

    This removes system restore points and backups, crippling recovery mechanisms.

  • Clearing the USN Journal (Forensic Evasion):

    fsutil usn deletejournal /D C:
    

    This command clears the $UsnJrnl file, which is critical for forensic investigators to determine what files were accessed or deleted.

  1. Stealth and Anti-Forensics: Evading Detection and Obfuscating the Attack

While Lotus Wiper does not attempt to hide its execution—its goal is destruction, after all—it employs specific tradecraft to delay detection until it is too late. The malware incorporates a random delay of up to 20 minutes when checking for the remote `NETLOGON` synchronization flag. This technique complicates behavioral detection by making network communication patterns non-deterministic and helps synchronize detonation across multiple hosts on a domain.

To further clear its tracks, the wiper renames files to random, hexadecimal strings before deletion, obscuring the original file names and making recovery or identification via file tables impossible. It also repeatedly wipes disks in multiple cycles, ensuring that even low-level data recovery techniques fail.

Step-by-Step Guide for Digital Forensics on a Wiped System:

  1. Isolate and Image: Immediately disconnect the system, but do not shut it down if possible. Capture a full physical memory dump and a forensic disk image (e.g., using FTK Imager or dd). Do not boot from the system’s own drive.
  2. Analyze the MFT and USN Journal: In a forensic tool like Autopsy or EnCase, check the Master File Table (MFT) and the USN Journal. If the USN Journal is cleared or truncated, it is a strong indicator of the `fsutil usn deletejournal` command being run.
  3. Check Volume Shadow Copies: Run `vssadmin list shadows` on the imaged drive (via a read-only mount). A lack of any shadow copies strongly suggests a VSS deletion attack.
  4. Examine System Logs: On a live system (or from the memory dump), review Windows Event Logs. Look for Event ID 7045 (service installation), Event ID 4698 (scheduled task creation), and repeated logon failures.
  5. Review Prefetch Files: On Windows systems, Prefetch files (in C:\Windows\Prefetch) can reveal the last execution time and run count of diskpart.exe, fsutil.exe, and robocopy.exe.

  6. Proactive Defense: Detecting the Wiper Before the Finale

The security community’s consensus is clear: if the wiper executes, the battle is already lost. The goal, therefore, is to detect and disrupt the intrusion before the final payload. Detection must focus on the “pre-wiper” phase. Here is how to build a defense-in-depth strategy.

Step-by-Step Guide for Proactive Detection:

  1. Hunt for Abnormal .bat Activity: Deploy hunting rules to identify the execution of new or uncommon batch scripts in the `NETLOGON` share. Monitor for scripts named `Sync.bat` or `reg.bat` that attempt to disable the `UI0Detect` service.
  2. Deploy Sigma Rules: Implement Sigma rules to detect the sequential use of diskpart, fsutil, and VSS deletion commands within a short time window from the same parent process. An example detection rule might look for `vssadmin delete shadows` followed by `diskpart clean all` with the same ProcessGuid.
  3. Monitor for USN Journal Resets: Set up a Sysmon configuration to monitor for usage of the `fsutil usn deletejournal` command (Event ID 1). This is a high-fidelity indicator.
  4. Implement Network Segmentation: Ensure SCADA and critical infrastructure systems are on separate, firewalled network segments. The wiper’s reliance on a `NETLOGON` share and domain controller access should be confined or heavily monitored.
  5. Immutable Backups: Maintain offline, immutable backups that are physically disconnected from the network. In a wiper attack, online backups are often compromised first to prevent restoration.

5. Cloud and Critical Infrastructure Hardening

The targeting of Venezuela’s energy sector underscores the geopolitical motivations behind wiper malware. Any organization operating critical infrastructure must harden their hybrid environments. For cloud environments, the principle is similar: the wiper is the finale; the cloud account was already owned.

Step-by-Step Cloud and OT Hardening:

  1. Enforce MFA with Phishing-Resistant Tokens: Force the use of FIDO2 keys for all accounts with access to industrial control system (ICS) management or cloud consoles.
  2. Segment Administrator Accounts: Use a Privileged Access Workstation (PAW) for all administrative tasks. Never browse the web or check email from an admin account.
  3. Harden Active Directory: Regularly audit the `NETLOGON` share for unauthorized scripts. Restrict who can write to SYSVOL.
  4. Implement Deception Technology: Deploy honeypot accounts (e.g., “ord-backup-svc”) and decoy files (canaries). Any attempt to disable these accounts or delete these files will trigger an immediate alert.
  5. Real-Time Endpoint Monitoring: EDR solutions with behavior-based detections can identify the anomalous process chains and kill the malicious process before `diskpart` completes its job.

What Undercode Say:

  • Early Detection is Everything: By the time the wiper runs, recovery is a matter of days, not hours. Defense must shift to pre-execution indicators.
  • Wipers Are Geopolitical Weapons: Lotus Wiper is not a nuisance; it is a tool for state-backed sabotage, designed to destabilize nations.
  • The USN Journal Is Your Silent Witness: The clearing of the USN journal is itself a critical alert. If an admin tool is clearing journals, assume an attack is in progress.
  • Legacy Systems Are Targets: The use of the now-removed `UI0Detect` service indicates threat actors are deliberately targeting older, unpatched systems.

Prediction:

Lotus Wiper is a harbinger of a new wave of cyber-sabotage. As geopolitical tensions shift, we will see more highly targeted wipers designed not for persistence but for a singular, explosive impact. Future variants may evolve to target firmware, hypervisors, not just disks, making physical hardware replacement the only recovery method. The shift from ransomware (monetary) to wipers (destructive) represents a dangerous escalation in the use of malware as a tool for state-on-state conflict and strategic disruption in the digital age.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Flavioqueiroz Lotuswiper – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky