A politically motivated malware strain purpose-built to sabotage Israeli water treatment and desalination infrastructure, representing one of the most explicitly targeted OT-focused threats disclosed in 2026.
Published on April 16, 2026, an analysis exposes a hybrid cyber-physical threat that fuses conventional Windows persistence techniques with industrial control system (ICS) sabotage logic, Modbus protocol manipulation, and subnet-wide OT reconnaissance, all hardcoded to fire exclusively within Israeli IP space.
While the current build contains a critical implementation flaw that prevents full execution, its architecture signals a dangerous evolutionary step in targeting critical infrastructure.
ZionSiphon Malware
ZionSiphon is a .NET-based malware sample that self-identifies through a function literally named ZionSiphon(), analyzed by the threat research team in April 2026.
Unlike commodity stealers or ransomware, ZionSiphon was not built for financial gain; it was engineered to cause physical harm by manipulating chlorine dosing systems, reverse osmosis controllers, and water pressure settings at Israel’s national desalination plants.
The malware’s binary contains two Base64-encoded propaganda strings that leave no ambiguity about its ideological motivation. The first decodes to: “In support of our brothers in Iran, Palestine, and Yemen against Zionist aggression. I am ‘0xICS’.”
The second references the city of Dimona and decodes to: “Poisoning the population of Tel Aviv and Haifa.” The threat actor identifier 0xICS suggests a person with deliberate focus on industrial control systems.
Israel-Specific Targeting Logic
ZionSiphon’s targeting is surgical. The malware hardcodes three Israeli IPv4 ranges 2.52.0.0–2.55.255.255, 79.176.0.0–79.191.255.255, and 212.150.0.0–212.150.255.255 obfuscated in Base64 to restrict execution exclusively to hosts geolocated within Israel.
The IsTargetCountry() function numerically converts the local IPv4 address and compares it against these blocks before any payload logic executes.
A second targeting layer, IsDamDesalinationPlant(), checks whether the infected host belongs to a water OT environment. The function scans for running process names, including DesalPLC, ROController, SchneiderRO, ChlorineCtrl, WaterPLC, and SalinityCtrl, among 18 total strings directly tied to desalination and reverse osmosis operations.
The target string list also includes named references to Mekorot (Israel’s national water company), Sorek, Hadera, Ashdod, and Palmachim, four of Israel’s five largest seawater desalination plants, as well as Shafdan, the country’s central wastewater reclamation facility.
Core Malware Capabilities
Privilege Escalation and Stealth Persistence
Upon execution, ZionSiphon calls IsElevated() to verify administrative rights against the local Windows Administrators group. If unprivileged, it spawns powershell.exe with Start-Process -Verb RunAs to self-elevate.
For persistence, the s1() routine copies the binary to %LocalAppData%\svchost.exe, marks it as hidden, and registers a Run key named SystemHealthCheck under HKCU\Software\Microsoft\Windows\CurrentVersion\Run disguising the payload beneath a legitimate Windows process name to evade cursory inspection.
OT Configuration File Tampering
If both targeting conditions are met, ZionSiphon’s first destructive action is IncreaseChlorineLevel(), which scans for ICS configuration files, including C:\DesalConfig.ini, C:\ROConfig.ini, C:\ChlorineControl.dat, and C:\SalinityControl.ini.
Upon finding any match, it appends hardcoded entries: Chlorine_Dose=10, Chlorine_Pump=ON, Chlorine_Flow=MAX, Chlorine_Valve=OPEN, and RO_Pressure=80 values designed to spike chlorine concentration and membrane pressure to dangerous levels in active water treatment systems.
Modbus Sabotage and ICS Subnet Scanning
ZionSiphon’s UZJctUZJctUZJct() function sweeps the local /24 subnet, probing all 255 hosts on ports 502 (Modbus), 20000 (DNP3), and 102 (S7comm) with 100ms per-connection TCP timeouts.
Devices that respond are classified as ICSDevice objects by protocol. For Modbus targets, it issues a valid 01 03 00 00 00 0A Read Holding Registers request against the first ten registers, then writes a Modbus Function Code 6 command to set Chlorine_Dose to 100, or falls back to hardcoded write frames if dynamic register discovery fails.
The DNP3 and S7comm branches contain protocol-accurate prefix headers but are structurally incomplete, indicating the attacker understood these protocols but left those attack paths unfinished.
USB Propagation
A removable media propagation routine scans for drives flagged as removable, copies the hidden payload as svchost.exe with Hidden and System file attributes, then calls CreateUSBShortcut() to generate .lnk shortcut files using the Windows generic file icon (shell32.dll, 4).
Victims who click any visible “file” on the USB drive silently execute the malware, a technique reminiscent of early ICS-targeted worms, such as Stuxnet’s LNK-based propagation mechanism.
Broken Kill Switch
Despite its elaborate architecture, the current ZionSiphon build cannot successfully execute its payload due to a fundamental XOR encoding mismatch.
The IsTargetCountry() function compares the stored IP-range label "Nqvbdk" against EncryptDecrypt("Israel", 5). However, XORing "Israel" with the key 5 does not produce “Nqvbdk” under any implementation of the function as written.
This means the country check always returns false, causing the malware to invoke SelfDestruct(), which removes the SystemHealthCheck registry key, writes a log to %TEMP%\target_verify.log reading “Target not matched.
Operation restricted to IL ranges. Self-destruct initiated.” and creates a self-deleting batch file to wipe the executable. Darktrace assesses this version as either a development build, a prematurely deployed sample, or an intentionally disabled test artifact.
The structural completeness of its sabotage logic, however, strongly suggests that a corrected version or subsequent iteration remains a credible threat.
A Growing OT Attack Trend
ZionSiphon does not emerge in a vacuum. Iranian-linked threat groups, including CyberAv3ngers, have a documented history of targeting US and Israeli water and fuel management systems, exploiting default credentials on Unitronics PLCs and HMIs throughout 2023 and 2024.
The February 2026 geopolitical escalation between the US, Israel, and Iran has further elevated cyber risk against ICS and SCADA assets across critical sectors.
ZionSiphon’s combination of politically charged messaging, water-sector targeting, and Modbus manipulation logic reflects a maturing threat landscape in which adversaries are iterating beyond IT-focused disruption toward direct physical-consequence operations, DarkTrace said.
Recommended Defenses
- Segment OT networks from corporate IT environments to prevent lateral movement from compromised endpoints to ICS controllers
- Monitor Modbus traffic (port 502) for anomalous Function Code 6 write operations, especially targeting chlorine dosing or pressure registers
- Restrict USB access on OT workstations and enforce device allowlisting to neutralize removable-media propagation vectors
- Audit Windows autorun registry keys (
HKCU\...\Run) for suspicious entries disguised as system processes likesvchost.exe - Implement file integrity monitoring on critical ICS configuration files, such as
.ini,.conf, and.datfiles in known plant directories - Deploy cross-IT/OT visibility platforms capable of detecting anomalous subnet sweeps on OT ports 502, 20000, and 102 in real time.
Frequently Asked Questions
Q1: What is ZionSiphon malware?
ZionSiphon is a politically motivated OT malware discovered by Darktrace in April 2026, designed to sabotage Israeli water treatment and desalination systems by manipulating chlorine levels and ICS configuration files via Modbus protocol.
Q2: Is ZionSiphon currently operational and capable of causing damage?
No, the current build contains a broken XOR-based country validation function that causes the malware to self-destruct rather than execute its payload. However, its sabotage architecture is structurally complete and functional if corrected.
Q3: Which Israeli infrastructure does ZionSiphon specifically target?
The malware hardcodes references to Mekorot (Israel’s national water company), the Sorek, Hadera, Ashdod, and Palmachim desalination plants, and the Shafdan wastewater facility, alongside Israeli IP address ranges.
Q4: How does ZionSiphon spread and maintain persistence on infected systems?
ZionSiphon persists via a hidden svchost.exe copy registered as a Windows autorun key named SystemHealthCheck, and propagates through USB drives by creating malicious .lnk shortcut files that masquerade as legitimate files using the Windows generic file icon.
Site: http://thecybrdef.com
About the Author
