ZionSiphon: New Malware Targeting Israeli Water and Desalination Infrastructure

TL;DR

Researchers have identified ZionSiphon, a specialized malware designed to sabotage Israeli water treatment and desalination systems. Though currently in an unfinished state, the malware features sophisticated capabilities including ICS scanning, USB propagation, and the ability to tamper with chlorine and pressure controls.

Overview

Cybersecurity researchers from Darktrace have detected a new strain of malware, codenamed ZionSiphon, specifically engineered to target critical infrastructure in Israel. The discovery follows the "Twelve-Day War" between Iran and Israel (June 13–24, 2025), with initial samples appearing on VirusTotal shortly after the conflict on June 29, 2025.

The malware represents a growing trend of politically motivated experimentation with industrial operational technology (OT) and Industrial Control Systems (ICS).

Geographic and Environment Targeting

ZionSiphon is characterized by highly granular targeting. The payload is designed to activate only when two specific conditions are met:

Geographic Targeting: The malware checks for specific Israeli IPv4 address ranges:
- 2.52.0[.]0 - 2.55.255[.]255
- 79.176.0[.]0 - 79.191.255[.]255
- 212.150.0[.]0 - 212.150.255[.]255
Environment Targeting: The malware scans for environment-specific strings and configurations related to water treatment and desalination infrastructure.

If these criteria are not met, the malware is programmed to initiate a self-destruct sequence to delete itself and minimize the risk of detection.

Technical Capabilities and Sabotage

ZionSiphon combines several advanced modules to achieve its goals within an OT environment:

OT/ICS Scanning: Once active, it probes the local subnet for devices using industrial protocols, specifically Modbus, DNP3, and S7comm.
Protocol Sabotage: The malware attempts to modify local configuration files. Specifically, researchers found logic aimed at tampering with chlorine doses and pressure controls.
Propagation and Persistence: It includes modules for privilege escalation, persistence mechanisms, and the ability to spread via removable media (USB propagation).
Political Messaging: The code contains embedded political messages expressing support for Iran, Palestine, and Yemen.

Current State of Development

Despite its sophisticated design, Darktrace researchers noted that ZionSiphon appears to be in an unfinished or experimental state.

While the Modbus-oriented attack path is relatively developed, the code for DNP3 and S7comm is only partially functional. Furthermore, current samples appear unable to satisfy their own geographic target-checking functions even when within the correct IP ranges, suggesting the version found may be incorrectly configured or an early-stage prototype.

Broader Threat Landscape: RoadK1ll and AngrySpark

The disclosure of ZionSiphon coincides with the detection of other sophisticated implants:

RoadK1ll: Identified by Blackpoint Cyber, this is a Node.js-based reverse tunneling implant. It establishes outbound WebSocket connections to act as a "controllable relay point," allowing attackers to pivot to internal network segments without needing an inbound listener.
AngrySpark: Reported by Gen Digital, this is a VM-obfuscated backdoor found in the U.K. It uses a three-stage system, including a virtual machine that processes bytecode instructions to assemble a payload. It hides its command-and-control (C2) traffic as HTTPS PNG image requests to bypass security monitoring.

Conclusion

ZionSiphon serves as a stark reminder of the increasing focus threat actors are placing on critical infrastructure. While the current samples may be unfinished, the malware's architecture demonstrates a clear intent to manipulate multi-protocol OT environments and cause physical sabotage to national water supplies. As geopolitical tensions continue to manifest in cyberspace, the protection of desalination and water treatment facilities remains a high priority for industrial security teams.

Source: The Hacker News