Researchers from Darktrace detailed a malware strain dubbed ZionSiphon, highlighting a piece of OT (operational technology)-focused malware designed to target Israeli water treatment and desalination infrastructure. The sample combines common host-based capabilities such as privilege escalation, persistence mechanisms, and removable-media propagation with functionality aimed at identifying and interacting with OT environments. According to Darktrace, the malware actively scans local networks for OT-relevant services and attempts to establish a foothold within industrial systems associated with water operations, reflecting an intent to engage directly with physical process environments rather than traditional IT targets.
The analysis also notes that ZionSiphon includes logic intended to tamper with local configuration files associated with industrial processes, as well as embedded targeting cues focused on water treatment and desalination systems. Darktrace’s researchers observed that the malware’s structure suggests experimentation with ICS interactions, including attempts to affect operational parameters in water processing environments. While the implementation appears incomplete in parts, the codebase indicates a focus on disrupting or manipulating critical infrastructure processes rather than simple reconnaissance or data theft.
“The clearest indicators of intent in this sample are its hardcoded Israel-focused targeting checks and the strong political messaging found in some strings in the malware’s binary,” Darktrace researchers wrote in a blog post last week. “In the class initializer, the malware defines a set of IPv4 ranges, including “2.52.0.0-2.55.255.255”, “79.176.0.0-79.191.255.255”, and “212.150.0.0-212.150.255.255”, indicating that the author intended to restrict execution to a narrow range of addresses. All of the specified IP blocks are geographically located within Israel.”
Darktrace noted that the malware includes a USB-based propagation mechanism. A dedicated function scans connected drives, identifies any that are removable, and copies a hidden version of the malware payload to each one under the name svchost.exe, provided it is not already present. The copied file is assigned Hidden and System attributes to reduce its visibility on the drive.
The researchers found that the ideological motivations behind this malware are also seemingly evident in two Base64-encoded strings embedded in the binary. The first decodes to: ‘In support of our brothers in Iran, Palestine, and Yemen against Zionist aggression. I am ‘0xICS’.’ The second resolves to ‘Poisoning the population of Tel Aviv and Haifa.’
Neither string appears to serve a functional role in the malware’s execution, but both point clearly to ideological signaling embedded within the code. The reference to Dimona is particularly notable. The city is located in the Negev desert and widely associated with the Shimon Peres Negev Nuclear Research Center, suggesting the messaging is intended to evoke sensitive national infrastructure alongside broader geopolitical tensions.
ZionSiphon’s targeting logic points squarely at Israel’s water and desalination infrastructure. The malware includes hardcoded references to entities such as Mekorot and major desalination plants, including Sorek, Hadera, Ashdod, and Palmachim, alongside Shafdan, the country’s central wastewater treatment facility. Together, these strings map directly to critical components of Israel’s national water system, indicating deliberate sector-specific targeting rather than broad geographic reconnaissance.
That focus is reinforced by a second layer of environment checks tailored to water treatment operations. The malware scans for process names tied to reverse osmosis, chlorine dosing, and plant control systems, and searches for directories and configuration files associated with desalination and water treatment software. This dual approach, combining infrastructure-specific keywords with operational process indicators, suggests an effort to identify and engage directly with desalination and wastewater environments at a functional level.
ZionSiphon uses a two-stage filtering mechanism to decide when to activate. The first function, IsTargetCountry(), checks whether the infected system falls within predefined IP address ranges, effectively narrowing execution to specific geographic locations. Only if this condition is met does the malware proceed further.
The second function, IsDamDesalinationPlant(), determines whether the system resembles a relevant OT environment. It does this by scanning for process names, directories, and files associated with desalination and water treatment operations. The combined logic is deliberate: the payload is designed to trigger only when both geographic targeting and environment-specific indicators aligned with water infrastructure are present.
Darktrace detailed that the ZionSiphon sample appears effectively non-functional due to a flaw in its own targeting logic. While it includes routines for sabotage, scanning, and propagation, the IsTargetCountry() check is structurally broken. All configured IP ranges are tied to a decoded string, ‘Nqvbdk,’ but the malware later compares this value against the result of an XOR-based transformation of the string ‘Israel.’ That transformation never produces ‘Nqvbdk,’ meaning the comparison fails every time, even when the system’s IP falls within the intended ranges.
As a result, the malware consistently concludes that no valid target has been identified and does not proceed with activation. The mismatch points to a deeper issue in the implementation: the encoding logic cannot generate the required string under any valid key. This strongly suggests the sample is either deliberately disabled, misconfigured, or left incomplete, rather than a fully operational deployment-ready variant.
Once ZionSiphon identifies a valid target, it immediately attempts to tamper with local OT configuration files. The malware scans for a predefined set of files tied to desalination, reverse osmosis, chlorine control, and broader water treatment systems. If it finds any one of these files, it appends a fixed set of parameters and stops further execution.
The injected values are designed to alter operational behavior, forcing elevated chlorine dosing, enabling pumps, maximizing flow, opening valves, and increasing reverse osmosis pressure. Only if none of the targeted files are present does the malware move on to network-based OT discovery, indicating preference for direct, local manipulation of industrial processes.
Darktrace identified that the DNP3 and S7comm branches of the malware appear significantly less developed than the Modbus implementation. In the GetCommand() function, the DNP3 path returns the fixed byte sequence 05 64 0A 0C 01 02, while the S7comm path returns 03 00 00 13 0E 00, and neither constitutes a fully formed command for its respective protocol.
The S7comm fragment most closely resembles the beginning of a WriteVar (0x05) parameter block, which is the S7comm equivalent of a Modbus register write. However, a valid S7 WriteVar request requires at least one item and a complete 11-byte variable-specification structure, making the five-byte sequence found in the sample far too short to be functional. The zero item count and trailing bytes appear to be either uninitialized data or the start of an incomplete address field, suggesting the attacker intended to implement S7 WriteVar functionality but left this section unfinished.
The DNP3 fragment tells a similar story. The sequence begins with the correct two-byte DNP3 link-layer sync header (05 64) and includes bytes that resemble the early portion of a link-layer header, but the fragment is too short to form a valid DNP3 frame. It is missing the required destination and source address fields, the 16-bit CRC blocks, and any application-layer payload, meaning it does not represent a meaningful or executable DNP3 command.
Taken together, both fragments contain protocol-accurate prefixes that indicate the attacker understood the basic structure of each protocol and intended to build out multi-protocol OT capabilities. However, for unknown reasons, neither branch was fully implemented before the malware was deployed.
The post detailed that while many of ZionSiphon’s individual capabilities align with patterns commonly found in commodity malware, “the combination of politically motivated messaging, Israel‑specific IP targeting, and an explicit focus on desalination‑related processes distinguishes it from purely opportunistic threats. The inclusion of Modbus sabotage logic, filesystem tampering targeting chlorine and pressure control, and subnet‑wide ICS scanning demonstrates a clear intent to interact directly with industrial process controllers and to cause significant damage and potential harm, rather than merely disrupt IT endpoints.”
At the same time, it added that numerous implementation flaws, most notably the dysfunctional country‑validation logic and the placeholder DNP3 and S7comm components, suggest that analyzed version is either a development build, a prematurely deployed sample, or intentionally defanged for testing purposes. Despite these limitations, the overall structure of the code likely indicates a threat actor experimenting with multi‑protocol OT manipulation, persistence within operational networks, and removable‑media propagation techniques reminiscent of earlier ICS‑targeting campaigns.
“Even in its unfinished state, ZionSiphon underscores a growing trend in which threat actors are increasingly experimenting with OT‑oriented malware and applying it to the targeting of critical infrastructure,” Darktrace researchers pointed out. “Continued monitoring, rapid anomaly detection, and cross‑visibility between IT and OT environments remain essential for identifying early‑stage threats like this before they evolve into operationally viable attacks.”
Earlier this month, Darktrace found that China-linked cyber activity is increasingly long-term and strategic, prioritizing persistence over short campaigns. About 88 percent of observed intrusions target critical infrastructure, signaling a focus on economic leverage and national resilience rather than one-off data theft.
