PDVSA Was Likely Attacked by Lotus Wiper
A new wiper analyzed by Kaspersky was likely used in the December attack on the Venezuelan oil company PDVSA as evidenced by a crucial detail in the script.
This Tuesday, Kaspersky’s GReAT published a report on a new piece of malware uploaded from Venezuela in mid-December called Lotus Wiper (available in English and in Spanish).
In light of geopolitical tensions that occurred in the Caribbean region in late 2025 and early 2026, artifacts associated with the attack chain of a destructive wiping campaign targeting the energy and utilities sector in Venezuela were identified on a publicly available resource.
The report provides the analysis of two batch scripts and a new wiper dubbed Lotus Wiper. Together, these tools were responsible for preparing the environment for the attack, coordinating the launch of the operation across network, and launching the destructive phase featuring several wiping techniques.
Kaspersky researchers did not provide the name of the victim, instead they described it in more general terms.
Yet, there is a crucial detail, omitted in the report, that points to a very specific target—the oil company PDVSA. On December 15, PDVSA, together with the oil ministry of Venezuela, announced that it was “the target of a cyberattack aimed at halting its operations” and blamed this on the U.S. government, albeit without much detail.
In this post, I will present my findings that contribute to the understanding of Lotus Wiper and its potential use the then offer some general thoughts about international implications and our understanding of cyber conflict.
First Clues
Using hashes provided in the Kaspersky report, I found that the three files they analyzed were first submitted to VirusTotal on December 14. Kaspersky describes this in more vague terms (“uploaded to a publicly available resource in mid-December of that year”).
OhSyncNow.bat (0b83ce69d16f5ecd00f4642deb3c5895)
notesreg.bat (c6d0f67db6a7dbf1f9394d98c1e13670)
nstats.exe a.k.a. Lotus Wiper (b41d0cd22d5b3e3bdb795f81421a11cb)
I noticed that the date, December 14, is very close to the PDVSA announcement, and I highlighted this on social media. Then I received a response from Ben Read, who pointed out a more obvious detail: the trigger file (OhSyncNow.bat) actually set pdvsa[.]com as the domain.
Domain-Limited Wiper
While I don’t have access to VirusTotal, I was able to find the OhSyncNow.bat scanned on the online sandbox platform Hybrid Analysis. The file was submitted to Hybrid Analysis on December 14, an hour after it was uploaded to VirusTotal, so probably it was grabbed from VT. There are two available scans, but basically for me this was useful because I could copy the whole script and examine by myself the hardcoded domain highlighted by Ben Read.
vmo is the variable that is used to construct the path to a network folder:
\\%vmo%\NETLOGON\%ruU%\%puL%
The script checks this network folder for the presence of a specified flag (OHSync.xml). If the flag is there, the script triggers the wiping operation. If the flag is not there, the script exits. If the remote location is unavailable, another attempt is taken after a delay.
In this context, the fact that vmo is set to pdvsa[.]com is crucial for understanding the attacker’s intention. This essentially limited the wiping operation to the specified network domain. In case the same batch script was launched on a computer outside of the domain, it would never trigger the next phase.
It’s obvious that Kaspersky was aware of the name of the domain, hence the researchers wrote that “there are clear signs in the malware sample that the intended victim operates in the utilities and energy sector.” It’s unclear why this crucial detail was omitted, maybe because of the company’s policy not to name the victim without its consent. Still, this script is available for anyone to see the mention of pdvsa[.]com.
Unless it’s some intricate distraction, this is strong evidence that points to a likely connection to the actual attack on PDVSA.
Attack on PDVSA
The December incident was not only announced by the company but was also confirmed by Bloomberg and Reuters sources. Nevertheless, very little details is still known about it. For instance, in December, a Reuters source from PDVSA suggested that this was a ransomware attack. But it’s unclear if they had first-hand knowledge. It’s possible that a wiper attack could initially be mistaken for the impact of ransomware since this is a more widespread and better known type of threat
In the January update, one month after the incident, Bloomberg did not mention the ransomware version.
What about the impact of the attack? There are different accounts.
Per PDVSA announcement, “the operational areas were not affected in any way, the attack being limited to the administrative system.”
The Reuters story confirmed the damage to the administrative system that had consequences to the company’s operations:
“There’s no delivery (of cargoes), all systems are down,” one company source said.
A shipper involved in Venezuelan oil deals confirmed that all loading instructions for the export market remained suspended.
Oil output, refining and domestic distribution were not affected, the sources said, but the company on Monday failed to restart administrative systems, forcing workers to keep written records of operations.
Two other sources said PDVSA ordered administrative and operational workers to disconnect from the company’s systems and to limit access of indirect workers to the company’s facilities.
In January, Bloomberg reported that PDVSA was still recovering from the attack. The company’s SCADA system, SAP software, payment system, internal email were reportedly still down, while employees had to communicate with each other using Telegram, WhatsApp, and Gmail .
Possibility of U.S. Involvement
PDVSA accused the U.S. government of the attack. Could it be so? Probably, but there is only circumstantial evidence.
First, the geopolitical context and the months-long U.S. pressure on Venezuela, specifically on its oil industry in December. The United States began deploying military forces to the Caribbean Sea in August 2025, apparently preparing for an operation that would culminate in January 2026 with the capture of Venezuela’s president Nicolás Maduro. In December, the United States took several measures aimed at the oil industry of Venezuela, seizing the oil tanker Skipper off its coast, putting in place additional sanctions, and later enacting a blockade on sanctioned oil tankers.
Second, there were several previous U.S. cyber attacks on Venezuela, per reports from Wired and CNN. Both stories talk about cyber activities during Donald Trump’s first term when his administration was attempting to remove Maduro from power. According to Wired, the CIA successfully disrupted Venezuela’s military payroll system. According to CNN, the CIA disabled the computer network used by Venezuelan intelligence service, while U.S. Cyber Command targeted the satellite communications of the Russia-linked Wagner Group that reportedly had a presence in Venezuela. Although not confirmed otherwise, these stories suggest U.S. interest in using cyber capabilities along with other tools to pressure Venezuela.
Third, Lotus Wiper analysis offers a few insights. According to Kaspersky’s report, preparations for the attack could have started as early as in September 2025 as evidence by the compilation time of the wiper. Thus, it was not opportunistic but rather a well thought through attack requiring clarity of objectives and substantial organizational resources. With the hardcoded domain name, the attack was very targeted. There are no known mechanisms of uncontrolled spreading. It was the opposite of NotPetya. The attack also included several wiping techniques to make sure the job was done. Together these features suggest careful planning and preparation. This doesn’t necessarily point to the U.S., but that’s how U.S. officials themselves describe their cyber operations in contrast to those of other actors.
What’s unusual is the use of wipers, typically not associated with U.S. operations. But it has been reported that in Operation Glowing Symphony against ISIS operators of U.S. Cyber Command did delete files, folders, and content. It's unclear how this was done—manually or with some kind of a wiper—but this suggest that U.S. military hackers have no inherent problem with deleting they adversaries’ data.
In sum, there are several circumstantial cues supporting the possibility of U.S. involvement in that attack on PDVSA, but none of them is conclusive. It’s also important to mention neither U.S. officials, nor even anonymous sources claimed responsibility for the attack.
Implications
So, what if it were the United States? That would make it a pretty remarkable operation, unseen so far, where cyber capabilities are used to put pressure on a country together with other tools. It’s a much more goal-oriented use of wipers than other known cases.
Based on malware analysis, it was well implemented from in the operational sense: thanks to deliberately redundant wiping techniques it caused long lasting damage, while also keeping the attack limited to the computers within the specified network. To the best of our knowledge, the attack did not self-propagate outside of the targeted company and did not affect other organizations.
Still, even such a limited-scope operation would be a breach of UN cyber norms as defined in the 2015 report of the Group of Governmental Experts. A destructive attack on critical infrastructure during peacetime clearly goes against the so-called framework of responsible state behavior in cyberspace. Alas, the cyber norms are explicitly said to be voluntary and non-binding and in practice they are rarely recalled. At the very least it’s important to note that the attacker were not taking them seriously when launching this operation.
There are still a lot of unknowns here, so I’m just speculating based on new pieces of evidence. More information might emerge if PDVSA comments on Kaspersky’s findings, if other artifacts are discovered, or if someone familiar with the operation decides to share their perspective.
But if my analysis is largely accurate, the PDVSA attack is one of the most interesting cases from various standpoints including information security, cyber conflict, legal analysis, etc.
If you disagree or have something to add to the story, I welcome your feedback.