{ "Event": { "analysis": "1", "date": "2026-04-21", "extends_uuid": "", "info": "[Threat Intel] Highly destructive Lotus Wiper used in a targeted attack", "protected": false, "publish_timestamp": "1779544269", "published": true, "threat_level_id": "2", "timestamp": "1779544268", "uuid": "122534c1-a7bb-4387-82e1-331b4b38ac37", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"", "relationship_type": "" }, { "colour": "#5b3acc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Wipe - T1561\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Access Removal - T1531\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#a05856", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Content Wipe - T1561.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Venezuela\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776826812", "to_ids": false, "type": "link", "uuid": "b98be106-36c8-4997-9de2-c0f161e311ff", "value": "https://securelist.com/tr/lotus-wiper/119472/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776826812", "to_ids": false, "type": "text", "uuid": "e759cb9c-e0e7-45a0-8ed6-7433366e3235", "value": "A highly targeted destructive wiper campaign dubbed 'Lotus Wiper' was discovered targeting the energy and utilities sector in Venezuela during late 2025 and early 2026. The attack begins with batch scripts coordinating execution across networks using domain shares as trigger mechanisms. These scripts disable security services, lock out users, and prepare the environment for the final payload. The Lotus Wiper systematically destroys data by wiping physical drives with zeros, deleting restore points, clearing USN journals, and recursively deleting files. Unlike ransomware, this wiper has no financial motivation or ransom demands, designed purely for data destruction. Evidence suggests attackers maintained long-term domain access prior to the attack, with the wiper compiled months before deployment. The malware targets older Windows systems and uses legitimate system tools like diskpart, robocopy, and fsutil." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776826812", "to_ids": false, "type": "text", "uuid": "c5fad050-0034-46f9-9c92-e8cc2eb25540", "value": "Name: Highly destructive Lotus Wiper used in a targeted attack\nAuthor: AlienVault\nAdversary: \nTags: [\"destructive attack\", \"targeted campaign\", \"critical infrastructure\", \"batch scripts\", \"venezuela\", \"disk wiping\", \"lotus wiper\", \"energy sector\"]\nTgtd countries: [\"Venezuela, Bolivarian Republic of\"]\nMlwr families: [\"Lotus Wiper\"]\nAttack_ids: [\"T1561.002\", \"T1561\", \"T1489\", \"T1135\", \"T1082\", \"T1106\", \"T1562\", \"T1036\", \"T1070\", \"T1083\", \"T1562.001\", \"T1531\", \"T1059.003\", \"T1485\", \"T1070.004\", \"T1569.002\", \"T1490\", \"T1561.001\", \"T1529\"]\nIndustries: [\"Energy\"]" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544262", "uuid": "49971e64-4009-4cf5-823e-048a808e711d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544261", "to_ids": true, "type": "md5", "uuid": "6939191f-02da-444b-87e7-1ba04d0be6f2", "value": "0b83ce69d16f5ecd00f4642deb3c5895", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544262", "to_ids": true, "type": "sha1", "uuid": "bebd157c-b67d-4336-a2a0-6ea5369dc475", "value": "19f306f517edc131bfebd452b16d57fe3abe7b8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544262", "to_ids": true, "type": "sha256", "uuid": "992d0c57-cbe0-4406-9777-35ab3bca8841", "value": "405177294f6f9268432a43998049ad0d4a61c6909216533b8713c911bc430755", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212480", "to_ids": true, "type": "ssdeep", "uuid": "48772632-df9a-47cb-9a41-04b54aee0f73", "value": "12:Z4u4hsNXNkjytsA5puF7dT4lGmpydHArKwoXA2Ll2txDECKSZ/c29AHDBx929wBu:g+x+je35a7dqnpydHm5bY2TCLBz5r56l" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212480", "to_ids": false, "type": "size-in-bytes", "uuid": "f79e7a38-bd0a-4f85-ad19-3e9d3b104237", "value": "798" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212480", "to_ids": true, "type": "filename", "uuid": "921b3f8c-f8c1-47ae-9b06-00d740704288", "value": "405177294f6f9268432a43998049ad0d4a61c6909216533b8713c911bc430755.bat" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212480", "to_ids": false, "type": "text", "uuid": "b41224ed-c0b5-4453-a58d-b39040102cbe", "value": "Type Description: DOS batch file\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:28/61\nFirst Submission:2025-12-14T21:09:09.000000+00:00\nLast Submission:2026-01-13T15:53:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544265", "uuid": "ce70c8ac-5e3d-4646-8ec3-2c33e8e74df7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544265", "to_ids": true, "type": "md5", "uuid": "6c8ee97e-d1e6-4693-b5e4-4355c5677e16", "value": "b41d0cd22d5b3e3bdb795f81421a11cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544265", "to_ids": true, "type": "sha1", "uuid": "e22cfe1b-827b-4a88-b51a-2e1f2cf37969", "value": "cadd0b1338bff0b09c932b2d52aca061bf38b188", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544265", "to_ids": true, "type": "sha256", "uuid": "51590728-8ae1-49ec-8f8d-ebb14423d921", "value": "1d6f374087087738b7699ebf91f1cfdb3b2a65c2e9be72e106ee7c9814be3274", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212502", "to_ids": true, "type": "ssdeep", "uuid": "9e6b08fc-84f6-43fe-8ce6-fa8a89efa5bc", "value": "3072:TWxaMkJlrXXpiE/Zbgg2C9yi50hpuftKpPf/moKX:6xMBXprGh4KsoKX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212502", "to_ids": false, "type": "size-in-bytes", "uuid": "1c0c25d7-67e2-48ca-9e7b-e977ddcbda3c", "value": "100352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212502", "to_ids": true, "type": "vhash", "uuid": "7edace0f-53d9-48c0-a4b1-b00d51475d14", "value": "015046655d156az46!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212502", "to_ids": true, "type": "filename", "uuid": "75f1401b-ce1b-47c4-b50e-83563ffed2bd", "value": "1d6f374087087738b7699ebf91f1cfdb3b2a65c2e9be72e106ee7c9814be3274.exe" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 25/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212502", "to_ids": false, "type": "text", "uuid": "01b6af5d-d50b-498a-a84c-3b3b2414ffc3", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:41/71\nFirst Submission:2025-12-14T21:04:00.000000+00:00\nLast Submission:2026-04-24T09:40:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544268", "uuid": "670c5634-4375-4fc0-8417-bbaf1fe67c3b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544267", "to_ids": true, "type": "md5", "uuid": "48b48dd9-7fe2-4799-a24e-b6696f83a891", "value": "c6d0f67db6a7dbf1f9394d98c1e13670", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544268", "to_ids": true, "type": "sha1", "uuid": "ee5fe519-ce41-4159-9ee0-e75561a1cbf0", "value": "6b2bb5287f6c7a217ad3263926603b50fd7f9662", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544268", "to_ids": true, "type": "sha256", "uuid": "d5609f66-fe0d-4645-8b91-cd833ecc3f47", "value": "9d05854c95c6afa68911bd28af12282185e0fe34f2e58fddbc503ab22d1508d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212524", "to_ids": true, "type": "ssdeep", "uuid": "b441cd1b-0e09-4caa-8d43-cde3f280bd9a", "value": "96:Pcvhwi1QLYsvkPwGiN3xL3XAOg8+9jnO/hWiKrMyz6ab64bA14bF4biGwW/TiSNT:9iCkSkPwfDLV1yvGwW/TiAIfPDc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212524", "to_ids": false, "type": "size-in-bytes", "uuid": "b593a9f9-a70f-4f8f-b68f-b262654f4246", "value": "5679" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212524", "to_ids": true, "type": "filename", "uuid": "1820cf7b-caa3-47da-a3dd-4e6e9ddcfc77", "value": "9d05854c95c6afa68911bd28af12282185e0fe34f2e58fddbc503ab22d1508d7.bat" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 25/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212524", "to_ids": false, "type": "text", "uuid": "0a73fc2f-5df8-4a77-b1cd-3c7c817dbc2f", "value": "Type Description: DOS batch file\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:30/61\nFirst Submission:2025-12-14T21:09:09.000000+00:00\nLast Submission:2025-12-18T11:53:52.000000+00:00" } ] } ] } }