20.04.2026
3 min
181
Cybersecurity researchers have uncovered a new piece of malware called ZionSiphon that targets critical water supply and desalination infrastructure in Israel. The threat is capable of altering system parameters, which could potentially lead to serious real-world consequences.
Cybersecurity experts recently identified a new malicious cyber weapon known as ZionSiphon, which appears to target water treatment and desalination plants in Israel.
ZionSiphon is named according to Darktrace’s definition; it is capable of establishing itself in the target environment, changing local configuration settings and searching for services associated with industrial process activities on the network. A publicly available sample of this malware emerged on June 29th, 2025 shortly after the brief but intense military clash between Iran and Israel in early June.
Experts focus their assessment of the capabilities of this software. It escalates privilege to increase its influence in the system, seeks to infect other computers using removable media (such as USB flash drives), and while doing so conducts searches for industrial equipment. Most concerning about this software are attempts to manipulate variables that determine physical processes (chlorine concentration and pressure) in the water delivery systems.
Notably, ZionSiphon is not working blindly. Rather than targeting all Israeli Internet Protocol (IP) addresses, it identifies and limits its range to IP address ranges associated with Israel:
2.52.0.0 – 2.55.255.255
79.176.0.0 – 79.191.255.255
212.150.0.0 – 212.150.255.255
Additionally, the malware includes politically charged comments supporting Iran, Palestine and Yemen. Additionally, the malware’s intended targets include equipment associated with water infrastructure systems in Israel. Prior to beginning operations, the malware determines both the geographic suitability and the targeted system type. Once initiated, the malware exhibits active behavior and will scan the surrounding network for modems equipped with Modbus, DNP3 and S7comm communications protocols; attempt to communicate with them; and modify their operational parameters. In particular, those responsible for chlorinating and maintaining pressure in the water delivery systems are high-priority targets.
Researchers indicate that the use of Modbus represents the highest level of implementation thus far in terms of creating remote-access capability in these systems. The remaining approaches appear unpolished and resemble development stages, suggesting they are also being tested.
An additional finding is that the malware spreads using removable media. If the malware finds that the target does not match the desired parameters, it self-destructs. Researchers from Darktrace noted that determining if the correct country is identified currently remains unreliable. This could either imply that the malware is still under testing or not completed.
However, despite potential instability and limitations of the current version of ZionSiphon, there appears to be a coherent plan behind how someone is testing methods to create a threat to industrial networks using multiple protocols simultaneously and attempting to discover means to become embedded within these networks.
There were additional research findings presented in conjunction with this report.
BlackPoint Cyber indicated that it had researched RoadK1ll, an implant written in Node.js. RoadK1ll does not exhibit characteristics typically seen in Trojans. Instead of installing malware on a victim’s device, it merely establishes a communication channel using WebSockets and converts the compromised device into a conduit allowing users to navigate undetected throughout the organization’s internal network.
Gen Digital also investigated a different piece of malware referred to as Angry Spark backdoor. It existed within the United Kingdom for nearly a year before disappearing when the organization lost connectivity.
Although its functionality is complex, AngrySpark Backdoor operates relatively simply:
it disguises itself as a Windows System File,
it executes via the Scheduler,
it injects into Svchost.exe,
and then uses a Virtual Machine to control incoming commands;
the commands themselves are transmitted using stealthy techniques (for example as requests for .png files). As such, AngrySpark Backdoor effectively hides itself on the network.
DarkTrace researchers said: “This kind of tool is designed to make detection extremely difficult and reverse engineering near impossible.”
Viewed collectively, however, each of these examples illustrate one trend: attacks are becoming quieter, more sophisticated, and increasingly focused upon disrupting critical infrastructure rather than stealing sensitive information. As such, this is yet another layer of increased risk.
