{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/energy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["data-wiper","lotus-wiper","venezuela","energy","utilities"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIn 2025, a new data wiper malware known as Lotus was used in targeted attacks against Venezuelan energy and utility companies. The malware, discovered by Kaspersky researchers after being uploaded to a public platform in mid-December 2025 from a Venezuelan machine, aims to completely destroy compromised systems. The attacks coincide with a period of geopolitical tension in the region. The malware not only overwrites data but also removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state. The attackers used a series of batch scripts to prepare the environment before deploying the final Lotus wiper payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial execution of a batch script (\u003ccode\u003eOhSyncNow.bat\u003c/code\u003e) to disable the Windows \u003ccode\u003eUI0Detect\u003c/code\u003e service.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eOhSyncNow.bat\u003c/code\u003e performs an XML file check for coordinated execution.\u003c/li\u003e\n\u003cli\u003eExecution of a second-stage batch script (\u003ccode\u003enotesreg.bat\u003c/code\u003e) when specific conditions are met.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enotesreg.bat\u003c/code\u003e enumerates users, disables accounts by changing passwords, logs off active sessions, disables all network interfaces, and deactivates cached logins.\u003c/li\u003e\n\u003cli\u003eThe malware enumerates drives and executes \u003ccode\u003ediskpart clean all\u003c/code\u003e to overwrite drives with zeros.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erobocopy\u003c/code\u003e is used to overwrite directory contents.\u003c/li\u003e\n\u003cli\u003eThe malware calculates free space and uses \u003ccode\u003efsutil\u003c/code\u003e to create a file that fills the disk, hindering data recovery.\u003c/li\u003e\n\u003cli\u003eThe batch script decrypts and executes the Lotus wiper, which overwrites physical sectors, clears USN journal entries, and wipes restore points. The final step updates disk properties using \u003ccode\u003eIOCTL_DISK_UPDATE_PROPERTIES\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Lotus wiper attacks against Venezuelan energy and utility firms in 2025 resulted in complete data loss and system unrecoverability. The attacks aimed to disrupt operations by destroying systems and eliminating any possibility of data recovery. While the exact number of affected organizations isn\u0026rsquo;t specified, the impact of such attacks on critical infrastructure can be significant, potentially affecting energy distribution and essential services for the population. The attacks coincide with a period of geopolitical tension, suggesting a potential motive of sabotage or disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for changes to the NETLOGON share, as this is a potential indicator of compromise (see Overview).\u003c/li\u003e\n\u003cli\u003eAlert on modifications to the \u003ccode\u003eUI0Detect\u003c/code\u003e service state using a \u003ccode\u003eregistry_set\u003c/code\u003e Sigma rule to identify potential initial stages of the attack (see Rules).\u003c/li\u003e\n\u003cli\u003eImplement detection rules to identify the execution of \u003ccode\u003ediskpart\u003c/code\u003e, \u003ccode\u003erobocopy\u003c/code\u003e, and \u003ccode\u003efsutil\u003c/code\u003e with parameters related to data wiping activities using \u003ccode\u003eprocess_creation\u003c/code\u003e Sigma rules (see Rules).\u003c/li\u003e\n\u003cli\u003eMonitor for mass account changes and disabling of network interfaces, as these are precursor activities (see Overview).\u003c/li\u003e\n\u003cli\u003eMaintain regular offline backups and validate their restorability frequently to mitigate the impact of data wipers (see Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-lotus-wiper/","summary":"The Lotus wiper, a previously undocumented data-wiping malware, was deployed against Venezuelan energy and utilities organizations in 2025, overwriting physical drives, deleting files, and rendering systems unrecoverable.","title":"Lotus Data Wiper Targeting Venezuelan Energy and Utility Firms","url":"https://feed.craftedsignal.io/briefs/2026-04-lotus-wiper/"}],"language":"en","title":"CraftedSignal Threat Feed — Energy","version":"https://jsonfeed.org/version/1.1"}