Researchers Identify ZionSiphon Malware Targeting Israel’s Water, Desalination Systems

Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israel’s water treatment and desalination systems.

The malware is codenamed Zion Siphon with Darktrace, highlighting its ability to set persistence, intercept local configuration files, and scan for operating technology (OT) services on the local subnet. According to VirusTotal data, the sample was first detected in the wild on June 29, 2025, shortly after the Twelve Day War between Iran and Israel that took place between June 13 and 24.

“The malware includes privilege escalation, persistence, USB distribution, and ICS scanning with destructive capabilities aimed at chlorine and pressure control, highlighting the growing scrutiny of politically motivated infrastructure attacks against industrial operating technologies around the world,” the company said.

ZionSiphon, currently in an unfinished state, is characterized by its focus on Israel, following a specific set of IPv4 address ranges available within Israel –

• 2.52.0[.]0 – 2.55.255[.]255
• 79.176.0[.]0 – 79.191.255[.]255
• 212.150.0[.]0 – 212.150.255[.]255

Besides posting political messages that claim to support Iran, Palestine, and Yemen, the malware embeds links to Israel in its target list along with the country’s water and desalination infrastructure. It also includes checking to ensure that certain programs are in place.

“The intended concept is clear: the payload only works when both the local condition and the location-specific condition related to desalination or water purification are met,” the cybersecurity company said.

Once launched, ZionSiphon identifies and probes devices on the local subnet, attempts direct communication with the protocol using Modbus, DNP3, and S7comm protocols, and modifies local configuration files by manipulating parameters related to chlorine doses and pressure. Artifact analysis found that the attack method focused on Modus is the most advanced, the remaining two include slow-running code, indicating that the malware may be improved.

A notable feature of the malware is its ability to spread infection through removable media. For hosts that do not meet the criteria, it initiates a self-destruct sequence to remove itself.

“Although the file contains destruction, scanning, and distribution functions, the current sample seems unable to satisfy its task of checking the target country even when the reported IP falls within the specified range,” said Darktrace. “This behavior suggests that the version has been intentionally disabled, not properly configured, or left in an unfinished state.”

“Despite these limitations, the overall structure of the code likely reflects a threat actor attempting multi-protocol OT manipulation, persistence within operational networks, and removable media broadcast methods reminiscent of previous ICS targeting campaigns.”

The disclosure is accompanied by the discovery of a Node.js-based implant called RoadK1ll designed to maintain reliable access to a compromised network while integrating with normal network activity.

“RoadK1ll is a Node.js-based reverse tunneling implant that establishes an outgoing WebSocket connection to attacker-controlled infrastructure and exploits that connection for merchant TCP traffic when needed,” Blackpoint Cyber ​​said.

“Unlike a traditional remote access trojan, it does not carry a large command set and does not require an eavesdropper on the victim’s host. Its only function is to turn a single vulnerable machine into a controllable relay, an access amplifier, where the operator can navigate to internal systems, services, and network components that would otherwise be inaccessible without a circuit.”

Last week, Gen Digital also exposed holes in a virtual machine (VM)-obfuscated backdoor that was spotted on one machine in the UK and operated for a year, before disappearing without a trace when its infrastructure expired. The implant is named AngrySpark. It is not yet known what the terms of the termination were.

“AngrySpark works as a three-tiered system,” the company explains. “The Windows component DLL loads through the Task Scheduler, removes its encryption from the registry, and injects standalone shellcode into svchost.exe. That shellcode runs the virtual machine.”

“The VM processes a 25KB bridge of bytecode instructions, decodes and compiles the actual payload – device profile beacon, phones home via HTTPS disguised as PNG image requests, and can find encrypted shellcode for execution.”

The result is a malware that can establish subtle persistence, change its behavior by changing the blob, and set up a command and control (C2) station that can fly under the radar.

“AngrySpark is not only modular, it’s also meticulous about how it looks to defenders,” said Gen. “Many of the design choices appear to be specifically aimed at frustrating integration, bypassing hardware, and limiting the science behind. The PE binary metadata has been intentionally changed to obfuscate the toolchain’s fingerprint.”