Ethical Hacking News
Malicious actors have created a new malware known as ZionSiphon that targets water treatment and desalination systems in Israel. The malware allows attackers to alter pressure and chlorine levels, suggesting an intent to disrupt operations. Despite its capabilities, the malware fails in its own targeting logic due to a mismatch in encryption functions. When the target check fails, it triggers a self-destruct routine, removing its persistence from the registry and deleting itself. This new threat highlights the growing trend of OT-oriented malware being used against critical infrastructure.
Malicious actors have created a malware called ZionSiphon to target water treatment and desalination systems. The malware combines common techniques like privilege escalation, persistence, and spreading via removable media with logic tailored to operational technology environments. ZionSiphon scans networks for OT services, modifies configurations, and focuses on Israeli targets using hardcoded IP ranges. The malware starts by checking if it has admin rights and then installs persistence to blend in with normal system activity. Due to a flaw in its targeting logic, the malware fails to activate its payload even on valid targets. The malware triggers a self-destruct routine when its target check fails, suggesting it may be unfinished or intentionally disabled. Darktrace's analysis found clear indicators of intent, including hardcoded Israel-focused targeting checks and strong political messaging in the malware's binary. ZionSiphon is an example of growing trend in OT-oriented malware targeting critical infrastructure, emphasizing the need for continued monitoring and cross-visibility between IT and OT environments.
Malicious actors have been making headlines recently due to their latest creation, a malware known as ZionSiphon. This new threat is designed to target water treatment and desalination systems, allowing attackers to alter pressure and chlorine levels in order to disrupt operations.
According to recent reports, the malware combines common techniques such as privilege escalation, persistence, and spreading via removable media with logic tailored to operational technology environments. ZionSiphon scans networks for OT services, modifies configurations, and focuses on Israeli targets using hardcoded IP ranges. Its code also contains political messages, suggesting ideological motives.
The malware starts by checking if it has admin rights. If not, it relaunches itself using PowerShell with elevated privileges. Once active, it installs persistence by copying itself to a hidden path as “svchost.exe” and adding a registry autorun key to blend in with normal system activity. It then checks if the system matches its target. It verifies the IP against specific ranges and looks for processes, files, and directories linked to water treatment or desalination systems.
If the system doesn’t match, it deletes itself and cleans traces. The malware also includes a removable-media propagation mechanism, which scans for drives, selects those identified as removable, and copies the hidden payload to each one as “svchost.exe” if it is not already present. The copied executable is marked with the “Hidden” and “System” attributes to reduce visibility.
Recent reports suggest that ZionSiphon contains sabotage and scanning features but fails in its own targeting logic. The malware compares encoded values to verify if a system belongs to a specific country, but the encryption function produces a different result than expected. Because of this mismatch, the check always fails, even on valid targets, so the malware never activates its payload.
When the target check fails, the malware triggers a self-destruct routine. It removes its persistence from the registry, writes a log message explaining the mismatch, and creates a script that repeatedly tries to delete the malware before removing itself. This suggests that the sample is either unfinished, misconfigured, or intentionally disabled.
Darktrace analyzed ZionSiphon and published a report detailing the malware's capabilities and limitations. According to their findings, the clearest indicators of intent in this sample are its hardcoded Israel-focused targeting checks and the strong political messaging found in some strings in the malware’s binary.
“The clearest indicators of intent in this sample are its hardcoded Israel-focused targeting checks and the strong political messaging found in some strings in the malware’s binary,” reads the report published by Darktrace. “In the class initializer, the malware defines a set of IPv4 ranges, including ‘2.52.0.0-2.55.255.255’, ‘79.176.0.0-79.191.255.255’, and ‘212.150.0.0-212.150.255.255’, indicating that the author intended to restrict execution to a narrow range of addresses. All of the specified IP blocks are geographically located within Israel.”
ZionSiphon includes Base64-encoded strings revealing clear political messaging, supporting groups opposing Israel and referencing harm to cities like Tel Aviv and Haifa. These messages highlight ideological motives.
The malware also targets Israeli infrastructure, with hardcoded IP ranges and references to key water facilities and desalination plants. It checks for processes and files linked to water treatment systems, confirming a focused intent on disrupting Israel’s water sector.
Overall, the report suggests that ZionSiphon is an example of the growing trend in which threat actors are increasingly experimenting with OT-oriented malware and applying it to the targeting of critical infrastructure. The authors emphasize the importance of continued monitoring, rapid anomaly detection, and cross-visibility between IT and OT environments for identifying early-stage threats like this before they evolve into operationally viable attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Malware-Alert-ZionSiphon-Targets-Israeli-Water-Systems-with-Sabotage-and-Scanning-Capabilities-ehn.shtml
https://securityaffairs.com/190922/malware/inside-zionsiphon-politically-driven-malware-aims-at-israeli-water-systems.html
https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems
https://blog.rankiteo.com/atl1776414222-israels-critical-water-infrastructure-cyber-attack-april-2026/
https://www.fortinet.com/resources/cyberglossary/fileless-malware
https://www.fortra.com/resources/knowledge-base/what-fileless-malware-or-non-malware-attack-definition-and-best-practices-fileless-malware
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://docs.rapid7.com/insightidr/apt-groups/
Published: Fri Apr 17 06:20:27 2026 by llama3.2 3B Q4_K_M
