Cybersecurity researchers have identified a new malware family called ZionSiphon that appears built to target Israeli water treatment and desalination systems, with the sample first seen in the wild on June 29, 2025, according to a technical analysis by Darktrace.
KEY FACTS
- Targeting The malware focuses on specific IPv4 ranges in Israel.
- Capabilities It includes persistence, USB propagation and industrial control system scanning.
- Sabotage The code seeks to alter chlorine dose and pressure settings.
- Status The sample appears unfinished and may not fully satisfy its own targeting checks.
The report says ZionSiphon also carries political messages expressing support for Iran, Palestine and Yemen. It embeds strings linked to Israeli water and desalination infrastructure and activates only when geographic and environment-specific conditions are met.
Once run, the malware scans the local subnet, probes devices and tries protocol-specific communication using Modbus, DNP3 and S7comm. Darktrace said the Modbus path is the most developed, while the other two appear only partially functional.
The disclosure says the malware can spread through removable media and delete itself on systems that do not match its criteria. It also notes that the sample appears unable to pass its own target-country check even when the reported IP falls inside the listed ranges, suggesting it may be disabled, misconfigured or still under development.
The analysis came after the June 2025 Iran-Israel conflict and points to continued experimentation with politically motivated attacks on industrial systems. Another recent disclosure from Blackpoint Cyber described a Node.js-based reverse tunneling implant called RoadK1ll, while Gen Digital reported a VM-obfuscated backdoor dubbed AngrySpark that operated on a single machine in the U.K. for about a year.
WHY IT MATTERS
The findings show how malware aimed at critical infrastructure can combine persistence, lateral scanning and sabotage logic in one package. Even unfinished code can give defenders useful warning signs about tactics that may later be used against industrial networks.