By rssfeeds-admin .webp?ssl=1 "Hackers Use Lotus Wiper to Destroy Drives and Delete Files in Energy Sector Attack")
Instead, it permanently destroys data, wipes entire drives, and leaves systems in a state from which recovery is simply not possible.
The attack came to light against a backdrop of rising geopolitical tensions in the Caribbean region during late 2025 and early 2026. Artifacts linked to the attack were found uploaded to a publicly available resource from a machine in Venezuela in mid-December 2025.
The malware had been compiled in late September 2025, which means the threat actors had been quietly preparing for this destructive operation for several months before executing it.
Securelist analysts and researchers identified the malicious artifacts as part of their routine threat hunting and malware classification work.
They noted clear signs within the sample indicating that the intended victim was an organization operating in the energy and utilities sector.
No payment instructions or extortion messages were found anywhere in the code, which confirmed that this was a purely destructive operation with no financial motivation behind it.
The attack is believed to be highly targeted and geopolitically motivated. The wiper aggressively removes recovery mechanisms, overwrites physical drives with zeros, and systematically deletes files across all affected volumes.
Previous destructive attacks like NotPetya in 2017 and HermeticWiper in 2022 caused massive damage to critical infrastructure, and Lotus Wiper now joins that dangerous category of threats.
The malware masquerades as legitimate HCL Domino application components, with file names like nstats.exe, nevent.exe, and ndesign.exe designed to blend in with normal system activity.
This indicates the attackers had already gained prior access to victim systems and had staged the malicious executables beforehand, which strongly points to earlier backdoor activity on the compromised hosts.
How the Infection Chain Works
The attack begins with a batch script named OhSyncNow.bat, which serves as the entry point for the entire destructive sequence.
This script first identifies a target working directory, typically C:lotus, and then attempts to disable the Interactive Services Detection service known as UI0Detect, a Windows process that would otherwise alert users to suspicious background activity.
Since this service was removed by Microsoft starting with Windows 10 version 1803, its presence suggests the attackers specifically targeted legacy systems where the service still exists.
The script then checks for a remote XML flag file named OHSync.xml on the domain’s NETLOGON share. This is a network-based trigger mechanism where the presence of that remote file acts as a signal to begin execution across all machines in the domain.
If the file is found, a second batch script called notesreg.bat is launched, which is designed to run only once.
It enumerates local user accounts, changes their passwords to random strings, marks them inactive, disables cached logins, logs off active sessions, and shuts down all network interfaces using netsh.
It also runs diskpart clean all against every logical drive, overwriting the entire disk content with zeros.
After the batch scripts finish preparing the environment, the final payload, Lotus Wiper, takes over. It uses XOR decryption to restore its own executable before running.
Once active, it enables administrative privileges, deletes all Windows System Restore points by abusing the srclient.dll API, and then fills each disk sector with zeros using low-level IOCTL disk commands.
It also uses fsutil to create a file that consumes all available free space, further exhausting storage capacity. Files are then zeroed out using FSCTL_SET_ZERO_DATA, renamed with random hexadecimal strings, and deleted.
If a file is in use and cannot be deleted immediately, the wiper uses MoveFileExW to schedule its deletion upon the next system restart.
Organizations in the energy sector and critical infrastructure should take the following steps to reduce exposure to this type of threat.
Audit permissions and monitor file activity on domain shares, especially watching NETLOGON for unauthorized changes.
Review security logs regularly for signs of credential abuse, token manipulation, or privilege escalation attempts.
Monitor for unusual usage of built-in Windows tools such as fsutil, robocopy, and diskpart, as attackers frequently abuse these native utilities to avoid triggering traditional security alerts.
Secure backup systems and routinely test data restoration procedures to ensure recovery is possible even after a destructive incident.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Lotus Wiper to Destroy Drives and Delete Files in Energy Sector Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.