Cybersecurity researchers have flagged new malware called ZionSiphon that appears to be specifically designed to target water treatment and desalination systems in Israel.
The malware, codenamed ZionSiphon by Darktrace, highlights its ability to set persistence, modify local configuration files, and scan for operational technology (OT)-related services on local subnets. According to details from VirusTotal, this sample was first detected in a wild environment on June 29, 2025, shortly after the 12-day war between Iran and Israel from June 13 to 24.
“This malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure control, highlighting the growing number of politically motivated critical infrastructure attack experiments against industrial operational technologies around the world,” the company said.
ZionSiphon, which is currently in an unfinished state, features an Israeli-focused target that targets a specific set of IPv4 address ranges within Israel.
2.52.0[.]0~2.55.255[.]255 79.176.0[.]0~79.191.255[.]255 212.150.0[.]0 to 212.150.255[.]255
In addition to encrypting political messages claiming support for Iran, Palestine, and Yemen, the malware embeds Israel-related strings in its target list that correspond to the country’s water and desalination infrastructure. It also includes checks to verify it on those specific systems.
“The intended logic is clear: the payload will only activate if both geographic conditions and environment-specific conditions related to desalination or water treatment are met,” the cybersecurity firm said.
Once launched, ZionSiphon identifies and interrogates devices on the local subnet, attempts protocol-specific communication using Modbus, DNP3, and S7comm protocols, and modifies local configuration files by tampering with parameters related to chlorine dosage and pressure. Analysis of the artifacts reveals that the Modus-oriented attack path is the most developed, with the remaining two containing only partially functional code, indicating that the malware is likely still in development.
A notable feature of this malware is its ability to propagate infection via removable media. Hosts that do not meet the criteria will initiate a self-destruct sequence and remove themselves.
“Although the files contain sabotage, scanning, and propagation capabilities, the current sample does not appear to be able to satisfy its own target country checking capabilities, even if the reported IP is within the specified range,” Darktrace said. “This behavior suggests that the version has been intentionally disabled, misconfigured, or left in an unfinished state.”
“Despite these limitations, the overall structure of the code may indicate that the attackers are experimenting with multiprotocol OT operations, persistence within operational networks, and removable media propagation techniques reminiscent of previous campaigns targeting ICS.”
This disclosure coincided with the discovery of a Node.js-based implant called RoadK1ll, designed to blend in with normal network activity while maintaining reliable access to compromised networks.
“RoadK1ll is a Node.js-based reverse tunneling implant that establishes an outbound WebSocket connection to attacker-controlled infrastructure and uses that connection to mediate TCP traffic on demand,” Blackpoint Cyber said.
“Unlike traditional remote access Trojans, it does not have an extensive command set and does not require an inbound listener on the victim host. Its sole function is to transform a single compromised machine into a controllable relay point, or access amplifier, through which operators can pivot to internal systems, services, and network segments that are unreachable from outside the perimeter.”
Last week, Gen Digital also uncovered an obfuscated backdoor in virtual machines (VMs). This backdoor was observed on one machine in the UK, operated for approximately one year, and disappeared without a trace when the infrastructure expired. This implant is called AngrySpark. At this time, it is unclear what the ultimate goal of this activity was.
“AngrySpark operates as a three-tier system,” the company explained. “A DLL disguised as a Windows component is loaded via Task Scheduler, decrypts its configuration from the registry, and injects position-independent shellcode into svchost.exe. That shellcode implements the virtual machine.”
“The VM processes chunks of 25KB bytecode instructions and decodes and assembles the actual payload. It is a beacon that profiles the machine and can make calls over HTTPS disguised as PNG image requests and receive encrypted shellcode for execution.”
As a result, the malware can establish stealth persistence, change its behavior by switching blobs, and set up a command-and-control (C2) channel that allows it to fly under the radar.
“AngrySpark is not only modular, but we also pay attention to how it looks to the defender,” Gen added. “Several design choices appear to be specifically aimed at limiting stressful clustering, instrumentation bypass, and forensic residue left behind. Binary PE metadata has been intentionally modified to confuse toolchain fingerprinting.”
Source link
