{"id":643,"date":"2026-04-20T08:48:56","date_gmt":"2026-04-20T08:48:56","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=643"},"modified":"2026-04-20T08:48:56","modified_gmt":"2026-04-20T08:48:56","slug":"researchers-detect-zionsiphon-malware-targeting-israeli-water-desalination-ot-systems","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=643","title":{"rendered":"Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEihoHF4qP6hw3msdH8s3stwjZR1a2Aqp6kSB97wFpmQefaNtVM8lc-Eu0Gv3jeMK2qa9aLGjSSZp3cJGNaE3eft6h17HnKqPGlhLbfkVzLqfv3VW-SEDLToW6z8SGiDeSE8jXdHyNqxqG_a4B34PjM3rbiOddEvQlgOFfbow8n6V_qGB-70uEj9fRrNLVOt\/s1700-e365\/water.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems.<\/p>\n<p>The malware has been codenamed <strong>ZionSiphon<\/strong> by Darktrace, highlighting its ability to set up persistence, tamper with local configuration files, and scan for operational technology (OT)-relevant services on the local subnet. According to details on VirusTotal, the sample was <a href=\"https:\/\/www.virustotal.com\/gui\/file\/07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f\/details\">first detected<\/a> in the wild on June 29, 2025, right after the Twelve-Day War between Iran and Israel that took place between June 13 and 24.<\/p>\n<p>\u00abThe malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls, highlighting growing experimentation with politically motivated critical infrastructure attacks against industrial operational technologies globally,\u00bb the company <a href=\"https:\/\/www.darktrace.com\/blog\/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems\">said<\/a>.<\/p>\n<p>ZionSiphon, currently in an unfinished state, is characterized by its Israel-focused targeting, going after a specific set of IPv4 address ranges that are located within Israel &#8211;<\/p>\n<ul>\n<li>2.52.0[.]0 &#8211; 2.55.255[.]255<\/li>\n<li>79.176.0[.]0 &#8211; 79.191.255[.]255<\/li>\n<li>212.150.0[.]0 &#8211; 212.150.255[.]255<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-agentic-guide-d-3\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgKLSgj9Smgyqpn4Kj-zAzWxJG1LUku8TpOERMxD6_hmMZQtXRFYXU-NA2ocnjrRafjkLtrxujKRuBstSZ4Il5z6hOu4oa7UM1FjkNoRQqrF5MWlShygYIqpnMGxHX2RHEBh9Y40x-p4PKn3cSlaWTEwKiVBDSoJgLPzR09dmp8HBffLlIqro73HVD30D00\/s728-e100\/nudge-d-3.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Besides encoding political messages that claim support for Iran, Palestine, and Yemen, the malware embeds Israel-linked strings in its target list that correspond to the nation&#8217;s water and desalination infrastructure. It also includes checks to ensure that in those specific systems.<\/p>\n<p>\u00abThe intended logic is clear: the payload activates only when both a geographic condition and an environment-specific condition related to desalination or water treatment are met,\u00bb the cybersecurity company said.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>Once launched, ZionSiphon identifies and probes devices on the local subnet, attempts protocol-specific communication using Modbus, DNP3, and S7comm protocols, and modifies local configuration files by tampering with parameters associated with chlorine doses and pressure. An analysis of the artifact has found the Modus-oriented attack path to be the most developed, with the remaining two only including partially functional code, indicating that the malware is still likely in development.<\/p>\n<p>A notable aspect of the malware is its ability to propagate the infection over removable media. On hosts that do not meet the criteria, it initiates a self-destruct sequence to delete itself.<\/p>\n<p>\u00abAlthough the file contains sabotage, scanning, and propagation functions, the current sample appears unable to satisfy its own target-country checking function even when the reported IP falls within the specified ranges,\u00bb Darktrace said. \u00abThis behavior suggests that the version is either intentionally disabled, incorrectly configured, or left in an unfinished state.\u00bb<\/p>\n<p>\u00abDespite these limitations, the overall structure of the code likely indicates a threat actor experimenting with multi\u2011protocol OT manipulation, persistence within operational networks, and removable\u2011media propagation techniques reminiscent of earlier ICS\u2011targeting campaigns.\u00bb<\/p>\n<p>The disclosure coincides with the discovery of a Node.js-based implant called <a href=\"https:\/\/blackpointcyber.com\/blog\/roadk1ll-a-websocket-based-pivoting-implant\/\">RoadK1ll<\/a> that&#8217;s designed to maintain reliable access to a compromised network while blending into normal network activity.<\/p>\n<p>\u00abRoadK1ll is a Node.js-based reverse tunneling implant that establishes an outbound WebSocket connection to attacker-controlled infrastructure and uses that connection to broker TCP traffic on demand,\u00bb Blackpoint Cyber said.<\/p>\n<p>\u00abUnlike a traditional remote access trojan, it carries no large command set and requires no inbound listener on the victim host. Its sole function is to convert a single compromised machine into a controllable relay point, an access amplifier, through which an operator can pivot to internal systems, services, and network segments that would otherwise be unreachable from outside the perimeter.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Last week, Gen Digital also took the wraps off a virtual machine (VM)-obfuscated backdoor that was observed on a single machine in the U.K. and operated for a year between May 2022 and June 2023, before vanishing without any trace when its infrastructure expired. The implant has been dubbed <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/chasing-an-angry-spark\">AngrySpark<\/a>. It&#8217;s currently not known what the end goals of the activity were.<\/p>\n<p>\u00abAngrySpark operates as a three-stage system,\u00bb the company explained. \u00abA DLL masquerading as a Windows component loads via the Task Scheduler, decrypts its configuration from the registry, and injects position-independent shellcode into svchost.exe. That shellcode implements a virtual machine.\u00bb<\/p>\n<p>\u00abThe VM processes a 25KB blob of bytecode instructions, decoding and assembling the real payload \u2013 a beacon that profiles the machine, phones home over HTTPS disguised as PNG image requests, and can receive encrypted shellcode for execution.\u00bb<\/p>\n<p>The result is malware capable of establishing stealthy persistence, altering its behavior by switching the blob, and setting up a command-and-control (C2) channel that can fly under the radar.<\/p>\n<p>\u00abAngrySpark is not only modular, it is also careful about how it appears to defenders,\u00bb Gen added. \u00abSeveral design choices look specifically aimed at frustrating clustering, bypassing instrumentation, and limiting the forensic residue left behind. The binary&#8217;s PE metadata has been deliberately altered to confuse toolchain fingerprinting.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems. The malware has been codenamed ZionSiphon by&hellip;<\/p>\n","protected":false},"author":1,"featured_media":644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1299,1296,1094,42,605,224,431,1298,1297],"class_list":["post-643","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-desalination","tag-detect","tag-israeli","tag-malware","tag-researchers","tag-systems","tag-targeting","tag-water","tag-zionsiphon"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=643"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/643\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/644"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}