The post Broken by Design: How VECT 2.0 Ransomware Becomes a Permanent Data Wiper appeared first on Daily CyberSecurity.

The post Lotus Wiper: A Destructive New Threat Strikes Venezuela’s Energy Sector appeared first on Daily CyberSecurity.

Lotus Wiper hit Venezuelan energy systems, used scripts to disable defenses, then erased all data beyond recovery.

Kaspersky researchers found Lotus Wiper targeting Venezuela’s energy and utilities sector amid regional tensions in 2025–2026. Attackers first used batch scripts to weaken systems, disable defenses, and prepare the environment.

Then they deployed the wiper, which erased recovery tools, overwrote disks, and deleted all files, leaving systems unusable.

“Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload. These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating and executing a previously unknown wiper that we dubbed ‘Lotus Wiper’.” reads the report published by Kaspersky. “The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state.”

The researchers pointed out that no ransom demand appeared, showing that the malware was developed with a destructive purpose rather than profit. The campaign looks highly targeted and designed to permanently disrupt critical infrastructure.

The attack chain begins with a batch file called OhSyncNow.bat. It checks specific folders and network shares, then uses a hidden XML file as a trigger to decide whether to continue. If the conditions are met, it runs a second script that prepares the system for destruction.

In the next stage, the malware disables user accounts, forces active logoffs, blocks cached logins, and shuts down network interfaces to isolate the machine. It then searches all disk drives and runs destructive commands like diskpart clean all, which overwrites entire volumes and permanently deletes data.

The script also spreads across directories using file mirroring techniques, overwriting or removing content on a large scale. It then fills remaining disk space with large files to prevent recovery or forensic analysis.

Finally, it launches disguised system-like executables that hide as legitimate software components. These files load the final payload, known as Lotus Wiper, which completes the attack by erasing all remaining data and leaving the system completely unrecoverable.

The final stage of the attack runs the Lotus Wiper implant. A system-like executable first decrypts a hidden payload and prepares it for execution. Then the wiper starts with elevated privileges already present on the system. It removes Windows restore points to block recovery and then begins destroying data.

It wipes all physical disks by writing zeroes across every sector, making recovery impossible. It also clears system logs and update journals to erase traces of activity.

“In between waves of wiping physical drives, Lotus Wiper makes use of FindFirstVolumeW and then FindNextVolumeW, to identify each mounted volume.” continues the report. “It sends the volumes to a new thread that performs two wiping actions: deleting all the system’s files and clearing the volume’s change journal.”

Next, it scans all mounted volumes, deletes files, and corrupts file records. It overwrites file contents with zeroes, renames files with random names, and forces deletion. If a file is locked, it schedules removal on reboot.

The wiper repeats disk destruction multiple times and updates system disk properties to ensure changes persist. In the end, it fully erases data across drives and volumes, leaving the system permanently unusable.

Businesses and government bodies should audit permissions on domain shares and monitor NETLOGON for unauthorized changes, since shared files can trigger coordinated attacks across systems. The wiper requires elevated privileges, often gained after attackers move from low-level accounts to higher access.

Security teams should watch for token abuse, credential theft, and privilege escalation in logs. They must also detect unusual use of built-in tools like fsutil, robocopy, and diskpart, commonly used in “living off the land” attacks. Strong backup testing and recovery planning are essential to ensure systems and data can be restored after destructive incidents.

“An essential detail about the presence of Lotus Wiper attackers in the environment is revealed by the batch scripts. Given that the files included certain functionalities targeting older versions of the Windows operating system, the attackers likely had knowledge of the environment and compromised the domain long before the attack occurred.” conlcudes the report. “Moreover, we observed that Lotus Wiper was compiled in late September 2025, while the sample was uploaded to a publicly available resource in mid-December of that year. Prior to this, the malware had not been used in any other attacks. Assuming the compilation time of the PE file has not been altered, this indicates that the attacker had been preparing for this attack for several months.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, wiper)

Alerts this report is a compilation of trends centered on hacktivists operating on the deep web and dark web. some alleged attacks are labeled as observations due to limited independent technical verification. Major Issues Handala’s multi-pronged offensive stood out. The group used a combination of psychological warfare and subversive attacks, including a claimed FBI-linked domain […]

TeamPCP continues its string of supply chain attacks, and announces a partnership with Vect ransomware group.

The post Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure appeared first on Unit 42.

Akamai researchers saw a 245% spike in cyberattacks in the first two weeks after the start of the U.S. and Israeli war against Iran as Iranian nation-state groups and independent hacktivists launch increasingly decentralized and destructive cyberattacks, which are expected to increase as long as the kinetic battle continues.

The post Cyberattacks Spike 245% in the Two Weeks After the Start of War With Iran appeared first on Security Boulevard.

The evolution of Iranian cyber operations in broad context: from custom wiper malware to misuse of legitimate admin tools and more.

The post Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization appeared first on Unit 42.

We are observing an increase of wiper attacks by the Iran-linked Handala Hack group (aka Void Manticore) through phishing and misuse of Microsoft Intune.

The post Insights: Increased Risk of Wiper Attacks appeared first on Unit 42.

On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank — login screens replaced by a logo most had never seen. A small, barefoot boy with a slingshot, the symbol of Handala.

The attack on Stryker Corporation — a Fortune 500 medical technology giant that supplies surgical equipment, orthopedic implants, and neurotechnology to hospitals globally — ranks as one of the most operationally destructive cyberattacks ever executed against a U.S. healthcare company.

Stryker reported $25 billion in revenue in 2025 and employs approximately 56,000 people, with its products embedded in hospital supply chains worldwide. What hit it was not ransomware. The attackers came to destroy, not extort.

Stryker confirmed the incident in a Form 8-K filing with the U.S. SEC, describing "a global disruption to the Company's Microsoft environment" and stating it had no indication of ransomware or malware and believed the incident was contained. The company's own filing, however, understated what employees were already reporting on the ground.

Employees in the United States, Ireland, Costa Rica, and Australia reported that managed Windows laptops and mobile devices had been remotely wiped.

"My wife had 3 Stryker managed devices wiped around 3:30 AM EDT. Their Entra login page was defaced with the Handala logo," a Reddit user said.

Another claimed the situation as "bad" and said: "Many colleagues phones have been wiped. Instructed to remove intune, company portal, teams, VPN from personal devices. Personal phone so have lost access to my eSim. Unable to log in to many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams.

Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data, forcing Stryker to shut down operations across 79 countries. Stryker in a midnight update said it was still working on complete restoration post the cyberattack.

"We are continuing to resolve the disruption impacting our global network, resulting from the cyber attack.  At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.  Our products like Mako, Vocera and LIFEPAK35 are fully safe to use.  We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined. We are working to ensure our electronic ordering system is back up and running as quickly as possible. It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility." - Stryker's update on the cyberattack

The mechanism behind the attack points to a calculated abuse of Microsoft Intune — a cloud-based platform enterprises use to manage and push policy updates to all enrolled devices from a single console. A wiper is malware that permanently erases data rather than encrypting it for ransom.

In short, an attacker with admin-level access to Intune effectively is holding a kill switch for every enrolled endpoint in the organization. The Handala branding that appeared on screens before the wipe confirmed that access had been established and held well before the destructive phase began — this was a deliberate, staged operation.

So Who Exactly is Handala?

Handala — also known as Handala Hack Team, Hatef, and Hamsa — first surfaced in December 2023 as a hacktivist operation linked to Iran's Ministry of Intelligence and Security (MOIS), initially targeting Israeli organizations with destructive malware designed to wipe both Windows and Linux devices, explained researchers at AI-powered threat intelligence firm, Cyble.

The group takes its name and visual branding from the iconic Palestinian cartoon character created by Naji al-Ali — a child refugee who never grows up and always turns his back to the viewer.

The hacktivist branding, however, obscures a more serious intelligence attribution. Multiple threat intelligence firms assess Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor optimized for psychological and reputational disruption — breaking into systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.

Check Point Research found repeated overlaps between MuddyWater — another MOIS-affiliated group — and Void Manticore, including shared criminal tooling. Handala has used Rhadamanthys, a commercial infostealer sold on dark web forums, pairing it with custom data wipers in phishing lures that impersonated F5 software updates and even Israel's own National Cyber Directorate.

Cyble has observed Handala hackers using Hamsa and Hatef data wipers in its previous campaigns targeted mainly at Israeli entities. [caption id="attachment_110112" align="aligncenter" width="500"] Source: Cyble Research and Intelligence Labs[/caption]

Also read: Iran-linked Threat Group Handala Actively Targets Israel

Void Manticore's attack playbook follows a consistent pattern of Handala too. Initial access through unpatched web servers, VPN gateways, and remote access solutions; lateral movement using living-off-the-land tools like PowerShell and scheduled tasks; and final-stage deployment of destructive wiper families designed to erase file systems and corrupt boot records.

The group's prior targets read like a map of sensitive sectors. Since the start of the Iran-Israel war, Handala has claimed to have wiped Israeli military weather servers, intercepted security feeds in Jerusalem, stolen and wiped data from various companies, doxxed Israeli intelligence officers, and breached an Israeli oil and gas exploration company.

Most recently, threat intelligence reporting documented the group publishing identifying details for 50 senior Israeli Air Force officers — names, IDs, addresses, and phone numbers.

Handala stated the Stryker attack was carried out in retaliation for a U.S. military strike on a school in Minab, Iran, that reportedly killed more than 175 people, most of them children.

[caption id="attachment_110115" align="aligncenter" width="500"] Stryker Cyberattack Claim by Handala (Source: X)[/caption]

Stryker has no direct connection to military operations, though it did secure a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military.

That contract likely put a target on Stryker's back.

Recent reporting indicates that MOIS-affiliated groups, including Handala, infiltrated U.S. and Israeli infrastructure weeks before the military operations conducted as part of Operation Epic Fury, suggesting pre-positioned access rather than reactive intrusion. In other words, Handala may have been inside Stryker's environment long before anyone noticed.

Check Point researchers also observed Handala routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a deliberate technique to blend reconnaissance traffic into legitimate satellite internet usage and frustrate IP-based blocking.

The hacker collective on Wednesday also claimed hacking another Israeli company Verifone, a leading provider of payment solutions and point-of-sale terminals to countries across the globe. However, a spokesperson for the company told The Cyber Express that all such claims are "fake news" and do not hold any substance. “Verifone closely monitors the security and integrity of its systems worldwide. We have observed recent allegations on March 11, 2026 from threat actors claiming an intrusion into our systems in Israel. Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," the spokesperson said. Updated on March 13, 2026 1:24 AM ET: The article was updated with a statement from Verifone spokesperson confirming no evidence of intrusion and no authenticity in Handala's claims.

Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders.

The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) appeared first on Unit 42.

In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and we published an in-depth analysis of it in another post. Recently, a new version was discovered.

Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish trusted packages with a malicious payload. More than 800 npm packages have been infected by this version of the worm.

According to our telemetry, the victims of this campaign include individuals and organizations worldwide, with most infections observed in Russia, India, Vietnam, Brazil, China, Türkiye, and France.

Technical analysis

When a developer installs an infected npm package, the setup_bun.js script runs during the preinstall stage, as specified in the modified package.json file.

Bootstrap script

The initial-stage script setup_bun.js is left intentionally unobfuscated and well documented to masquerade as a harmless tool for installing the legitimate Bun JavaScript runtime. It checks common installation paths for Bun and, if the runtime is missing, installs it from an official source in a platform-specific manner. This seemingly routine behavior conceals its true purpose: preparing the execution environment for later stages of the malware.

The installed Bun runtime then executes the second-stage payload, bun_environment.js, a 10MB malware script obfuscated with an obfuscate.io-like tool. This script is responsible for the main malicious activity.

Stealing credentials

Shai Hulud 2.0 is built to harvest secrets from  various environments. Upon execution, it immediately searches several sources for sensitive data, such as:

• GitHub secrets: the malware searches environment variables and the GitHub CLI configuration for values starting with ghp_ or gho_. It also creates a malicious workflow yml in victim repositories, which is then used to obtain GitHub Actions secrets.
• Cloud credentials: the malware searches for cloud credentials across AWS, Azure, and Google Cloud by querying cloud instance metadata services and using official SDKs to enumerate credentials from environment variables and local configuration files.
• Local files: it downloads and runs the TruffleHog tool to aggressively scan the entire filesystem for credentials.

Then all the exfiltrated data is sent through the established communication channel, which we describe in more detail in the next section.

Data exfiltration through GitHub

To exfiltrate the stolen data, the malware sets up a communication channel via a public GitHub repository. For this purpose, it uses  the victim’s GitHub access token if found in environment variables and the GitHub CLI configuration.

After that, the malware creates a repository with a randomly generated 18-character name and a marker in its description. This repository then serves as a data storage to which all stolen credentials and system information are uploaded.

If the token is not found, the script attempts to obtain a previously stolen token from another victim by searching through GitHub repositories for those containing the text, “Sha1-Hulud: The Second Coming.” in the description.

Worm spreading across packages

For subsequent self-replication via embedding into npm packages, the script scans .npmrc configuration files in the home directory and the current directory in an attempt to find an npm registry authorization token.

If this is successful, it validates the token by sending a probe request to the npm /-/whoami API endpoint, after which the script retrieves a list of up to 100 packages maintained by the victim.

For each package, it injects the malicious files setup_bun.js and bun_environment.js via bundleAssets and updates the package configuration by setting setup_bun.js as a pre-installation script and incrementing the package version. The modified package is then published to the npm registry.

Destructive responses to failure

If the malware fails to obtain a valid npm token and is also unable to get a valid GitHub token, making data exfiltration impossible, it triggers a destructive payload that wipes user files, primarily those in the home directory.

Our solutions detect the family described here as HEUR:Worm.Script.Shulud.gen.

Since September of this year, Kaspersky has blocked over 1700 Shai Hulud 2.0 attacks on user machines. Of these, 18.5% affected users in Russia, 10.7% occurred in India, and 9.7% in Brazil.

TOP 10 countries and territories affected by Shai Hulud 2.0 attacks (download)
We continue tracking this malicious activity and provide up-to-date information to our customers via the Kaspersky Open Source Software Threats Data Feed. The feed includes all packages affected by Shai-Hulud, as well as information on other open-source components that exhibit malicious behaviour, contain backdoors, or include undeclared capabilities.