Cyber Threat Brief — April 23 2026
⚠️ This report is AI-generated. Always validate findings.
1. Lotus Wiper — Destructive Campaign Targeting Energy Sector
TL;DR: Kaspersky disclosed a novel destructive wiper used against Venezuela’s energy and utilities sector since late 2025. Lotus Wiper overwrites physical disk sectors via IOCTL calls and eliminates all recovery options — no ransom demand, pure destruction.
What’s New:
- Kaspersky report published April 21-22; sample compiled September 2025, uploaded from Venezuela in December 2025
- Two-stage batch orchestration:
OhSyncNow.batcreatesC:\lotusworking directory, disablesUI0Detectservice, polls NETLOGON share forOHSync.xmltrigger file with randomized 20-minute retry delay - Wiper uses
IOCTL_DISK_GET_DRIVE_GEOMETRY_EXto map disk geometry, then zeroes all physical sectors; finalizes withIOCTL_DISK_UPDATE_PROPERTIES - USN journal cleared and restore points deleted before disk wipe — no recovery possible
- Targets older Windows systems (attackers had prior domain knowledge), no financial motive
- Kaspersky detections:
HEUR:Trojan.BAT.Agent.gen,HEUR:Trojan.BAT.LotusWiper.gen,HEUR:Trojan.Win32.LotusWiper.gen
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
OhSyncNow.bat batch script execution | Initial execution | T1059.003 | Sysmon EID 1, Windows Security 4688 | Alert — batch execution creating C:\lotus directory |
C:\lotus directory creation | Staging | T1074.001 | Sysmon EID 11 (FileCreate), EDR telemetry | Alert — creation of C:\lotus path |
OHSync.xml on NETLOGON share | C2/Trigger | T1080 | Windows Security 5145 (share access), Sysmon EID 3 | Hunt — XML file polling on NETLOGON share |
UI0Detect service disabled | Defense evasion | T1562.001 | Windows System 7040 (service state change) | Alert — Interactive Services Detection service disabled |
DeviceIoControl with IOCTL_DISK_GET_DRIVE_GEOMETRY_EX | Disk destruction | T1561.002 | Sysmon EID 1 (process accessing \\.\PhysicalDrive), EDR | Alert — non-system process accessing raw disk handles |
| USN journal deletion / restore point removal | Impact | T1490 | Windows Application 8224, vssadmin command logging | Alert — USN journal clear + VSS deletion combo |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Windows System or Service Stopped (generic) | Need: UI0Detect service disable + raw disk access + VSS deletion correlation rule |
| Elastic | None | Need: Batch script creating non-standard root directories + NETLOGON XML polling |
| Sigma | proc_creation_win_vssadmin_delete_shadow.yml (partial) | Need: OhSyncNow.bat or C:\lotus staging directory + IOCTL_DISK_GET_DRIVE_GEOMETRY_EX process access rule |
Sources: Kaspersky Securelist · BleepingComputer · The Hacker News · SecurityAffairs
Status Updates
- CVE-2026-33825 (BlueHammer/Microsoft Defender): CISA KEV addition April 22; federal deadline May 7. Patched in April 14 Patch Tuesday. BlueHammer, RedSun, and UnDefend all confirmed ITW by Huntress; RedSun and UnDefend remain unpatched — apply April cumulative update immediately and monitor for Defender Platform >= 4.18.26050.3011. CISA KEV April 22 · Original brief April 7.
- CVE-2026-20122/20128/20133 (Cisco SD-WAN): Federal deadline TODAY April 23 for three companion CVEs; full SD-WAN Manager attack chain with CVE-2026-20127. Original brief April 5.
- CVE-2025-48700 (Zimbra): Federal deadline TODAY April 23; UAC-0233 exploitation ongoing against Ukrainian entities; patch to ZCS 10.0.18/10.1.13. Yesterday’s brief.
- CVE-2026-4681 (PTC Windchill): Still no patch; German police physical outreach continues; imminent exploitation threat persists. Original brief March 27.