Cybersecurity researchers have identified a previously undocumented malware strain, dubbed ZionSiphon, that appears purpose‑built to target Israeli water treatment and desalination infrastructure, raising concerns about the growing sophistication and intent of politically motivated attacks against operational technology (OT) environments.
The malware was named ZionSiphon by researchers at Darktrace, reflecting its ability to establish persistence, manipulate local system configurations, and actively search for OT‑specific services within affected networks. Metadata available on VirusTotal indicates that the sample was first observed in the wild on June 29, 2025, shortly after the conclusion of the Twelve‑Day War between Iran and Israel, which took place from June 13 to June 24 a timing that has drawn attention from analysts.
According to Darktrace, ZionSiphon blends several advanced capabilities, including privilege escalation, persistent access mechanisms, removable‑media propagation, and industrial control system (ICS) reconnaissance. The malware also contains functions consistent with sabotage activity, specifically targeting chlorine dosing and pressure regulation two parameters critical to safe water treatment operations.
“The malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls,” Darktrace said, “highlighting increased experimentation with ideologically driven attacks against industrial operational technologies.”
Targeted Geographic and Sectoral Scope
Although the malware appears to be under development and not fully operational, its targeting logic is highly specific. ZionSiphon includes hard‑coded checks for Israel‑based IPv4 address ranges, limiting activation to systems operating within predetermined geographic boundaries:
- 2.52.0.0 – 2.55.255.255
- 79.176.0.0 – 79.191.255.255
- 212.150.0.0 – 212.150.255.255
In addition to geographic filtering, the malware embeds strings associated with Israel’s water and desalination infrastructure, further narrowing its activation scope. Political messaging embedded in the sample references support for Iran, Palestine, and Yemen, reinforcing the assessment that ideological motivation played a role in its design.
“The intended activation logic is explicit,” Darktrace noted. “The payload is engineered to execute only when both a geographic condition and an environment‑specific condition linked to water treatment or desalination systems are satisfied.”
OT‑Focused Capabilities and Development State
Once executed on a qualifying system, ZionSiphon initiates local network discovery and probing, scanning the subnet for industrial devices and attempting protocol‑specific communication using Modbus, DNP3, and S7comm protocols commonly used in OT and ICS environments.
The malware also tampers with local configuration files, manipulating parameters related to chlorine dosing and pressure levels, actions that could potentially undermine water safety or disrupt operations if executed in a live environment.
Analysis of the code, however, suggests that the Modbus‑based attack path is the most mature and complete. By contrast, the DNP3 and S7comm components contain only partially implemented logic, indicating that ZionSiphon is likely still in an experimental or development phase rather than a fully weaponized tool.
Propagation and Self‑Protection Features
One particularly noteworthy feature is ZionSiphon’s ability to propagate via removable media, such as USB drives a tactic historically associated with high‑profile ICS threats. This capability allows the malware to move into isolated or air‑gapped environments where direct internet access may be restricted.
If the malware determines that a host does not meet its strict targeting criteria, it initiates a self‑destruct routine, removing itself to avoid detection and collateral exposure.
“Although the sample contains code for sabotage, scanning, and propagation, it currently appears unable to satisfy its own country‑verification logic even when the reported IP address falls within the defined ranges,” Darktrace said. “This behavior suggests the malware is unfinished, misconfigured, or intentionally disabled at this stage.”
Despite those limitations, researchers caution that the overall structure shows a threat actor actively experimenting with multi‑protocol OT manipulation, operational persistence within industrial networks, and removable‑media‑based propagation, recalling techniques seen in earlier ICS‑targeting campaigns.
Related Developments
The disclosure of ZionSiphon coincides with the identification of several other advanced implants, underscoring a broader trend toward stealthy access and long‑term persistence.
One such tool, RoadK1ll, is a Node.js‑based reverse tunneling implant designed to maintain reliable access to compromised environments while blending into normal network traffic. According to Blackpoint Cyber, RoadK1ll establishes an outbound WebSocket connection to attacker‑controlled infrastructure and uses it to broker TCP connections on demand.
“Unlike traditional remote access trojans, RoadK1ll exposes no inbound listener and implements no extensive command framework,” Blackpoint said. “Its sole purpose is to transform a compromised system into a controllable relay, allowing attackers to pivot deeper into internal networks that would otherwise be inaccessible.”
Separately, Gen Digital recently detailed a highly stealthy backdoor dubbed AngrySpark, observed on a single system in the U.K. between May 2022 and June 2023. The malware disappeared entirely once its supporting infrastructure expired, leaving no apparent forensic trace.
AngrySpark operates as a three‑stage infection chain, beginning with a malicious DLL masquerading as a legitimate Windows component. The DLL is loaded via the Task Scheduler, decrypts configuration data stored in the Windows registry, and injects position‑independent shellcode into svchost.exe. That shellcode then implements a virtual machine capable of interpreting custom bytecode.
The VM decodes a 25‑kilobyte instruction blob, assembling the final payload a beacon that profiles the host, communicates over HTTPS disguised as PNG image requests, and can receive encrypted shellcode for execution.
The design results in a backdoor that supports covert persistence, dynamic behavioral changes, and low‑visibility command‑and‑control communications.
“AngrySpark is both modular and deliberately evasive,” Gen Digital said. “Its architecture appears tailored to frustrate clustering, bypass instrumentation, and minimize forensic artifacts. The executable’s metadata has been intentionally manipulated to hinder toolchain fingerprinting.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
