Hackers deployed a previously unknown destructive malware against Venezuela’s energy and utilities sector in an attack designed to destroy systems, according to a report by therecord.media.
Russian cybersecurity firm Kaspersky identified the malware as 'Lotus Wiper.' The tool erases data across physical drives and deletes files throughout a system’s storage, making affected machines impossible to restore.
“We believe that this wiper is extremely targeted, has no financial motivation, and aims to erase all of a device’s files and data,” researchers said in the report.
Targeted infrastructure
Kaspersky reported that the attackers focused on machines running older versions of the Windows operating system. This pattern suggests the attackers likely possessed detailed knowledge of the targeted networks and may have compromised them well before the destructive phase began.
Technical evidence indicates the operation was in preparation for months. The Lotus Wiper malware was compiled in late September 2025, and a sample linked to the campaign was uploaded to a public malware repository in mid-December from a computer located in Venezuela.
While the researchers did not identify the specific organizations affected, they noted the activity occurred during a period of heightened geopolitical tension in the Caribbean region throughout late 2025 and early this year.
Last December, Venezuela’s state-run oil company, Petróleos de Venezuela (PDVSA), reported a cyberattack that disrupted its administrative systems. Local media reported that the incident temporarily halted oil cargo deliveries.
PDVSA publicly blamed the United States for the intrusion, citing Washington’s increased military presence near Venezuela and its efforts to pressure President Nicolás Maduro. U.S. forces removed Maduro from the country in January.
Cybersecurity experts have not found evidence linking the Lotus Wiper campaign to the U.S. government. There is currently no proof that Lotus Wiper was used in the specific PDVSA incident, and the identity of the threat actor behind the campaign remains unknown.
