Cybersecurity analysts have uncovered a new malicious software, known as ZionSiphon, which has been engineered specifically to infiltrate Israeli water treatment and desalination facilities. The malware, identified by cybersecurity firm Darktrace, is designed to establish persistence, alter local configuration files, and survey for services related to operational technology (OT) on local networks. According to VirusTotal, the malware was first identified in the wild on June 29, 2025, shortly after the Twelve-Day War between Iran and Israel, which occurred from June 13 to 24.
Key Features and Functionality
ZionSiphon is equipped with capabilities such as privilege escalation, persistence, USB spread, and scanning of industrial control systems (ICS), along with sabotage features aimed at manipulating chlorine levels and pressure controls. These capabilities indicate an increase in politically motivated cyberattacks on industrial operational technologies globally. Although still in development, ZionSiphon targets specific Israeli IPv4 address ranges, emphasizing its regional focus.
Besides embedding political messages supporting Iran, Palestine, and Yemen, the malware includes Israeli-specific strings in its target list that correspond to the country’s water and desalination infrastructure. The malware activates only under certain conditions, specifically when both a geographical and an environment-specific condition related to water treatment is met.
Operational Details and Propagation
Once activated, ZionSiphon scans and interacts with devices on the local network, attempting protocol-specific communication using Modbus, DNP3, and S7comm protocols. It alters configuration files involving chlorine dosing and pressure management. The Modbus-oriented attack path is the most advanced, while other pathways remain partially developed, suggesting ongoing development of the malware.
A significant feature of ZionSiphon is its ability to spread through removable media. If the malware cannot fulfill its targeting criteria, it triggers a self-destruct sequence to erase itself. Despite these shortcomings, the malware’s structure suggests an actor experimenting with multi-protocol OT manipulation and removable-media propagation, reminiscent of previous ICS-targeting campaigns.
Connection to Other Cyber Threats
The revelation of ZionSiphon coincides with the discovery of a Node.js-based implant named RoadK1ll, which facilitates sustained access to compromised networks while blending into normal network activity. RoadK1ll functions as a reverse tunneling implant that uses WebSocket connections to manage TCP traffic, converting compromised machines into relay points for broader network access.
Additionally, Gen Digital recently disclosed a virtual machine (VM)-obfuscated backdoor, named AngrySpark, observed operating on a single machine in the UK for a year before disappearing. AngrySpark operates as a three-stage system, featuring a DLL loading shellcode into svchost.exe, which processes bytecode instructions to assemble the real payload. This sophisticated malware establishes stealthy persistence and sets up a command-and-control channel, eluding detection.
These developments highlight the evolving landscape of cybersecurity threats targeting critical infrastructure, emphasizing the need for robust defenses and continuous monitoring to safeguard against such attacks.
