Listen to this Post

Introduction
In a stark departure from financially motivated ransomware, a newly discovered malware strain known as Lotus Wiper has been systematically erasing Venezuela’s energy infrastructure with surgical precision—demanding no ransom, leaving no survivors, and making data recovery a technological impossibility. Kaspersky researchers uncovered this previously undocumented wiper targeting the nation’s energy and utilities sector between late 2025 and early 2026, employing a sophisticated multi‑phase attack chain that weaponizes native Windows tools to permanently destroy systems while evading traditional defenses.
Learning Objectives
- Analyze the Lotus Wiper Attack Chain: Understand how batch scripts orchestrate network‑wide destruction, disable defenses, and deploy the final wiper payload.
- Master Defensive Hardening Techniques: Learn to implement detection rules, audit NETLOGON shares, and harden Windows environments against living‑off‑the‑land (LotL) attacks.
- Develop Immutable Backup Strategies: Design recovery architectures that withstand physical disk overwrites and protect critical infrastructure from permanent data loss.
You Should Know
- Attack Orchestration: How Batch Scripts Disable Defenses and Trigger Destruction
Lotus Wiper’s execution begins with a batch file named OhSyncNow.bat, which serves as the campaign’s digital tripwire. This script first attempts to stop the legacy Windows service Interactive Services Detection (UI0Detect)—a move that suppresses on‑screen warnings that would otherwise alert users to malicious background activity. The script then checks for a remote XML file (OHSync.xml) on the organization’s NETLOGON domain share, using its presence as a network‑based trigger to coordinate execution across all domain‑joined systems. If the remote file is unreachable, the script introduces a randomized delay of up to 20 minutes before retrying, ensuring persistence even in unstable network conditions.
Once triggered, a second batch script (notesreg.bat) initiates the preparation phase. It enumerates all local user accounts, changes their passwords to random strings, disables cached logins, forcibly logs off active sessions, and shuts down all network interfaces—effectively isolating the machine and preventing any remote intervention. The script then enumerates logical drives and executes diskpart clean all, overwriting entire volumes with zeros. It uses `robocopy` to recursively mirror folders, overwriting or deleting existing contents, and calculates free space to create a massive file using fsutil, exhausting storage capacity and hindering forensic analysis.
Step‑by‑Step Guide: Detecting and Blocking Batch‑Based Attack Vectors
| Phase | Detection Method | Command / Action |
|-|-||
| Monitor UI0Detect Manipulation | Audit service state changes | `sc query UI0Detect` (Windows) |
| Track NETLOGON Share Changes | Enable file auditing on `SYSVOL` | `auditpol /set /subcategory:”File System” /success:enable` |
| Detect Batch Script Execution | Monitor process creation events | Event ID 4688 (Windows Security Log) |
| Block Unauthorized `diskpart` Usage | Restrict interactive logins for built‑in tools | AppLocker or WDAC policy |
| Log `robocopy` and `fsutil` Activity | Enable command line auditing | `auditpol /set /subcategory:”Process Creation” /success:enable` |
Linux Equivalent Monitoring (for cross‑platform environments):
Monitor for batch‑like script execution auditctl -a always,exit -F arch=b64 -S execve -F path=/bin/bash -k script_exec Track file changes on network shares inotifywait -m -r /path/to/NETLOGON/ -e modify,create,delete
- Privilege Escalation and Defense Evasion: Abusing Legitimate Windows Tools
Lotus Wiper exemplifies the living‑off‑the‑land (LotL) paradigm, relying entirely on legitimate Windows utilities to evade signature‑based detection. After the initial batch scripts prepare the environment, the final wiper payload—compiled in late September 2025—grants itself all available token privileges, gaining full administrative access without needing to exploit additional vulnerabilities. The malware then dynamically loads `srclient.dll` and calls `SRSetRestorePoint` and `SRRemoveRestorePoint` in reverse sequence, methodically deleting every Windows System Restore checkpoint on the system.
To further evade forensic analysis, Lotus Wiper clears the USN (Update Sequence Number) journal—the file system’s change log that records every modification. By wiping this journal, the malware erases all traces of file deletions, overwrites, and rename operations, making post‑incident reconstruction nearly impossible. The wiper also interacts directly with physical drives via IOCTL calls, retrieving disk geometry with `IOCTL_DISK_GET_DRIVE_GEOMETRY_EX` before writing zeros across every sector—a low‑level operation that bypasses file system abstractions and ensures permanent destruction.
Step‑by‑Step Guide: Hardening Windows Against LotL and Token Abuse
| Hardening Measure | Implementation | Verification |
||-||
| Restrict Token Privileges | Remove SeBackupPrivilege, `SeRestorePrivilege` from non‑admin accounts | `whoami /priv` |
| Disable Legacy Services | Set UI0Detect to Disabled | `sc config UI0Detect start=disabled` |
| Audit DLL Loading | Enable DLL auditing via Windows Defender Attack Surface Reduction | ASR rule GUID: `d4f940ab-401b-4efc-aadc-ad5f3c50688a` |
| Block VSS Deletion | Restrict access to Volume Shadow Copy Service | `vssadmin list shadows` (monitor for deletions) |
| Enable Command Line Logging | Configure PowerShell and CMD logging | `Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging” -Name “EnableScriptBlockLogging” -Value 1` |
Linux Command to Monitor for Suspicious IOCTL Activity (if applicable):
Use strace to trace low‑level disk operations strace -e ioctl -p <PID> 2>&1 | grep -E "BLK|HDIO"
- Data Annihilation: Physical Disk Overwrite and Forensic Obstruction
Once the wiper gains full privileges, it enters its most destructive phase. Using `FindFirstVolumeW` and FindNextVolumeW, Lotus Wiper enumerates every mounted volume and spawns separate threads to perform two simultaneous wiping actions: deleting all system files and clearing the volume’s change journal. For each file, the malware overwrites its content with zeros via FSCTL_SET_ZERO_DATA, renames it to a random hexadecimal string, and then calls DeleteFileW. If a file is locked by a running process, Lotus Wiper schedules its removal on the next reboot using `MoveFileExW` with the `MOVEFILE_DELAY_UNTIL_REBOOT` flag.
Between waves of physical disk wiping, the malware repeatedly executes `diskpart clean all` to ensure that every sector of every physical drive—including boot records, partition tables, and system reserved areas—is overwritten with zeros. It repeats this destruction cycle multiple times and updates disk properties using `IOCTL_DISK_UPDATE_PROPERTIES` to persist the changes. The result is a system with no restore points, no journal entries, no file system metadata, and no possibility of data recovery through any conventional means.
Step‑by‑Step Guide: Detecting and Mitigating Active Wiper Activity
| Detection Signal | Monitoring Method | Response Action |
|–|-|–|
| Mass File Deletions | Track `DeleteFileW` API calls via Sysmon Event ID 23 | Isolate host immediately |
| Physical Disk Overwrites | Monitor `diskpart` execution with `clean all` parameter | Kill process and revoke privileges |
| USN Journal Resets | Check for `FSCTL_DELETE_USN_JOURNAL` control code | Trigger SIEM alert |
| System Restore Deletions | Audit `SRSetRestorePoint` API usage | Log source IP and account |
| Network Isolation Commands | Watch for `netsh interface set admin` executions | Block outgoing traffic |
Windows Command to Check USN Journal Status:
fsutil usn queryjournal C:
Linux Command to Detect Mass File Overwrites (analogous monitoring):
Monitor for zero‑write operations on block devices auditctl -a always,exit -F arch=b64 -S write -F path=/dev/sda -k disk_overwrite
4. Network‑Based Triggers: How Attackers Coordinate Domain‑Wide Destruction
One of Lotus Wiper’s most insidious features is its use of network‑based trigger mechanisms that enable synchronized destruction across an entire Active Directory domain. The first batch script hard‑codes the victim organization’s name into a variable to build a file path pointing to a remote XML file on the NETLOGON share. If this remote file exists, the script proceeds to execute the second batch script; if the remote file is absent, the script exits, effectively using the presence of the XML file as a “kill switch” to control the attack’s timing.
This design suggests that the attackers likely had prior access to the compromised environment, staging the binary before the attack and using the XML file as a remote signal to initiate the destructive phase simultaneously across hundreds or thousands of machines. Kaspersky noted that this approach is “consistent with classic backdoor trigger mechanisms that rely on externally accessible resources to control malware behavior.”
Step‑by‑Step Guide: Securing NETLOGON Shares and Active Directory
| Security Control | Implementation | Verification |
|–|-||
| Restrict NETLOGON Write Permissions | Set read‑only access for standard users | `icacls \\domain\NETLOGON` |
| Monitor for New XML Files | Enable file creation auditing | Event ID 4663 (Windows Security) |
| Implement SMB Signing | Enforce SMB packet signing | `Set-SmbServerConfiguration -RequireSecuritySignature $true` |
| Deploy Network Segmentation | Isolate domain controllers from general user access | VLAN segmentation with firewall rules |
| Use Honeytokens | Place decoy XML files on NETLOGON and monitor access | Custom script or EDR alert |
Linux Command to Monitor SMB Shares for Suspicious Access (if using Samba):
Enable full SMB auditing in smb.conf [bash] logging = full log level = 2 auth:3 Monitor logs in real‑time tail -f /var/log/samba/log.smbd | grep -E "open|create|write"
- Post‑Wiper Forensics: What Remains and How to Investigate
After Lotus Wiper completes its execution, affected systems are left in a permanently unrecoverable state—no partitions, no boot records, no file system, and no logs. However, skilled incident responders can still gather evidence from network‑side telemetry, adjacent systems, and memory captures taken before the final wipe. Key artifacts to collect include:
- Firewall and proxy logs showing the initial infection vector and command‑and‑control (C2) communications.
- Active Directory authentication logs (Event ID 4624 and 4625) revealing account enumeration and password change attempts.
- Windows Event Logs from domain controllers that may have recorded batch script executions before the local logs were destroyed.
- Endpoint Detection and Response (EDR) telemetry from systems that detected but did not stop the initial script activity.
- Network traffic captures (PCAPs) containing SMB traffic to the NETLOGON share or unusual ICMP packets that may indicate C2 beacons.
Step‑by‑Step Guide: Preserving Forensic Evidence During an Active Wiper Attack
| Priority | Action | Tool / Command |
|-|–|-|
| 1. Isolate | Disable network interfaces immediately | `ipconfig /release` (Windows) |
| 2. Capture Memory | Acquire RAM before shutdown | `DumpIt` or `FTK Imager` |
| 3. Preserve Logs | Export Windows Event Logs remotely | `wevtutil epl System C:\backup\System.evtx` |
| 4. Image Drives | Create forensically sound disk images | `dd` or `FTK Imager` |
| 5. Record Hashes | Document file hashes of suspicious executables | `certutil -hashfile
Linux Command for Remote Log Collection (if target is Linux‑based):
Securely copy logs before potential wipe rsync -avz -e ssh /var/log/ user@collector:/forensics/
6. Mitigation and Recovery: Building Immutable Offline Backups
The only reliable defense against a wiper like Lotus is an immutable, offline, and geographically separated backup strategy. Traditional online backups, cloud snapshots, and even on‑premises tape libraries are vulnerable if the attacker has administrative access—Lotus Wiper’s ability to delete Volume Shadow Copies and wipe physical disks renders any connected backup storage useless. Organizations must implement a 3‑2‑1‑1‑0 backup rule: at least three copies of data, on two different media types, with one copy off‑site, one copy immutable, and zero errors after restore testing.
Step‑by‑Step Guide: Implementing Wiper‑Resilient Backup Architecture
| Layer | Implementation | Frequency | Validation |
|-|-|–||
| Offline Air‑Gapped Backups | Tape libraries physically disconnected | Daily | Quarterly restore drills |
| Write‑Once, Read‑Many (WORM) Storage | Object lock on S3 or Azure Blob | Continuous | Verify lock expiration dates |
| Immutable Snapshots | ZFS snapshots with retention policies | Hourly | `zfs list -t snapshot` |
| Recovery Site Replication | Asynchronous replication to isolated environment | Continuous | Periodic failover testing |
| Backup Integrity Monitoring | Automated checksum validation | Weekly | SHA‑256 verification logs |
Linux Command to Create Immutable ZFS Snapshots:
Create a read‑only snapshot zfs snapshot -r pool/data@pre_wiper_$(date +%Y%m%d) Set snapshot to immutable (read‑only) zfs set readonly=on pool/data@pre_wiper_20260422
Windows Command to Enable Volume Shadow Copy with Retention:
Configure VSS with maximum storage and independent schedule vssadmin resize shadowstorage /for=C: /on=C: /maxsize=20% vssadmin create shadow /for=C:
What Undercode Say
- Wipers Are the New Ransomware: As law enforcement becomes more effective at disrupting ransom payment pipelines, nation‑state actors and hacktivists are increasingly turning to pure destruction. Lotus Wiper’s lack of any extortion mechanism signals a strategic shift toward irreversible operational sabotage.
-
Living‑Off‑The‑Land Is Unstoppable by Traditional AV: Lotus Wiper’s reliance on
diskpart,robocopy,fsutil, and other native Windows tools renders signature‑based antivirus solutions completely ineffective. Defenders must transition to behavior‑based detection, application whitelisting, and least‑privilege architectures. -
Network Triggers Demand Zero‑Trust File Shares: The use of an XML file on a NETLOGON share as a remote kill switch highlights the danger of implicit trust within Active Directory environments. Zero‑trust principles—including continuous authentication, micro‑segmentation, and rigorous file integrity monitoring—are no longer optional for critical infrastructure.
Prediction
The emergence of Lotus Wiper foreshadows a new era of geopolitical cyber‑warfare where wipers become the weapon of choice for state actors seeking plausible deniability and maximum disruption. As critical infrastructure sectors—energy, water, transportation, and healthcare—remain heavily reliant on legacy Windows systems, we predict a wave of copycat wipers over the next 12–18 months, targeting not only Venezuela but also other nations with fragile energy grids. Organizations that fail to implement immutable offline backups and behavior‑based detection will find themselves permanently erased from the digital landscape, with no recovery possible and no ransom to pay. The only question is not if but when the next Lotus Wiper strikes.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackermohitkumar Kaspersky – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


