ZionSiphon Malware Targets Israeli Water and Desalination Systems
Darktrace reported that a malware sample dubbed ZionSiphon was built to target Israeli water and desalination infrastructure, combining standard Windows malware features with operational technology-specific discovery and sabotage logic. The sample includes privilege escalation, persistence through a hidden svchost.exe copy in LocalApplicationData, self-deletion, USB propagation via hidden executables and malicious shortcuts, and hardcoded Israeli IP ranges and facility references tied to water, wastewater, and desalination operations. Embedded anti-Israel and propaganda-style strings referencing locations including Tel Aviv, Haifa, and Dimona, along with references to Mekorot and other facilities, indicate politically motivated targeting.
On systems it identifies as relevant, ZionSiphon checks for OT-related processes, directories, and configuration files associated with reverse osmosis, chlorine control, and plant operations, then attempts local configuration tampering to raise chlorine-related settings. It also scans the local /24 subnet for Modbus, DNP3, and S7comm services, with the Modbus branch the most mature and capable of reading holding registers and attempting chlorine-dosing-related writes, while the DNP3 and S7comm routines appear incomplete. Darktrace said the analyzed build is currently dysfunctional because a flawed country-validation routine prevents activation and causes the malware to self-destruct, but the code still shows clear sabotage intent against Israeli critical water infrastructure.
Timeline
Apr 24, 2026
Nozomi says ZionSiphon is unlikely to be a real OT threat
Nozomi Networks Labs assessed ZionSiphon and concluded it is likely a mock-up or proof of concept rather than a genuine operational threat to water treatment facilities, citing fabricated paths, flawed geofencing, unrealistic OT behavior, and weak execution logic. Nozomi also updated its threat intelligence package to detect the sample and said no customer action was needed beyond routine monitoring and updates.
Apr 23, 2026
Dragos says ZionSiphon is not a credible OT or ICS threat
Dragos published its own analysis of ZionSiphon and concluded the malware is not a credible OT or ICS threat, describing it as a poor likely LLM-generated attempt with broken code, fictional process names and paths, and unrealistic industrial logic. The firm said that even fixing a minor targeting bug would not make it operational because of deeper logic errors and invalid assumptions.
Apr 16, 2026
Darktrace finds ZionSiphon build is dysfunctional and self-destructs
Darktrace assessed the analyzed ZionSiphon build as incomplete or developmental because its country-validation logic contains a flawed Israel check that cannot succeed. As a result, the malware self-destructs instead of activating, despite showing clear intent to target Israeli water infrastructure.
Apr 16, 2026
Darktrace analyzes ZionSiphon OT malware targeting Israeli water systems
Darktrace analyzed a malware sample dubbed ZionSiphon and found it combined Windows privilege escalation, persistence, self-deletion, USB propagation, local configuration tampering, and OT-focused network scanning aimed at Israeli water and desalination environments. The sample included hardcoded Israeli IP ranges, infrastructure-related strings, and sabotage-oriented logic involving chlorine-related settings and Modbus, DNP3, and S7comm discovery.
Jun 29, 2025
Darktrace first detects ZionSiphon in the wild
Darktrace said it first observed the ZionSiphon malware sample in the wild on 2025-06-29, shortly after the June 13–24 Twelve-Day War between Iran and Israel. The sample appeared tailored to Israeli water and desalination operational technology environments.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
5 more from sources like darktrace blog, the hacker news, security affairs and cyber security news
Related Stories
MuddyWater Cyberespionage Campaign Leveraging Snake Game-Inspired Malware
Iranian state-aligned threat group MuddyWater has launched a new cyberespionage campaign targeting organizations in Israel and Egypt, with a focus on technology, engineering, manufacturing, local government, and educational sectors. Researchers from ESET and other security firms have identified that MuddyWater is using a novel loader, dubbed Fooder, which masquerades as the classic Snake video game to deliver a new backdoor called MuddyViper. This loader introduces execution delays, inspired by the Snake game's mechanics, to evade antivirus detection. The campaign also employs spearphishing emails with PDF attachments that link to remote monitoring and management software installers, hosted on free file-sharing services, to gain initial access. The MuddyViper backdoor enables attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additional tools, such as credential stealers and another backdoor named VAX One, have also been deployed. MuddyWater's evolving tactics, including the use of reflective loading for in-memory execution and the impersonation of legitimate software, demonstrate increased sophistication and a continued focus on defense evasion and persistence. Security researchers note the possibility that MuddyWater may be acting as an initial access broker for other Iranian threat actors, given observed overlaps in operations.
1 months ago
WaterHydra-Linked DarkMe and QuasarRAT Infrastructure Exposed Across Bulletproof Hosts
Researchers linked the GitHub operator **`evilgrou-tech`** to the **WaterHydra/DarkCasino** lineage and uncovered an active malware operation using **DarkMe RAT**, **QuasarRAT v1.4.1**, and a modified **"Sentinel"** QuasarRAT variant against forex traders and cryptocurrency users. The attribution rests on a reused developer artifact — **`C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb`** — along with dozens of overlapping indicators spanning code, infrastructure, targeting, and tradecraft. The campaign used GitHub-hosted encrypted payloads, multi-stage loaders, AMSI bypasses, fileless .NET execution, registry and startup persistence, and live command-and-control nodes including **`91.124.98.29:2626`** and **`192.109.200[.]147`**. Investigators recovered five AES payload key schemes, an XOR loader key, and QuasarRAT PBKDF2-derived cryptographic material, enabling offline decryption of staged payloads and configuration data. The infrastructure mapped the operation across hosting providers and networks in Ukraine, Russia, and the United States, with ties to **ThinkHuge**, **PrefixBroker**, **PFCLOUD**, and upstream infrastructure associated with **CountLoader** and an **Amadey** staging server linked to more than 23 malware families. The **Sentinel** variant added **Hidden VNC**, keylogging, and browser credential theft under a crypto-focused **"Pumpfun"** campaign, while the parallel **"Office04"** activity remained focused on financial trading targets. Separate analysis of the live QuasarRAT server showed its encryption key matched the SHA1 hash of the server TLS certificate, but a protocol-accurate fake client was still rejected, indicating application-layer IP allowlisting on the C2. Breakglass also identified a second, distinct malware distribution operation tied to a Brazilian Portuguese-speaking actor that used fake gaming cheat sites, GitHub, Discord, and MediaFire to spread **AgentTesla**, underscoring broader criminal use of the same malware delivery ecosystem.
1 weeks ago
Iran-linked MuddyWater intrusions and heightened retaliation risk after U.S.-Israeli strikes
Following the Feb. 28, 2026 U.S.-Israeli strikes on Iran, reporting indicates a **heightened risk of Iranian retaliatory cyber activity** against U.S. and allied organizations, with expected operations spanning **ransomware, DDoS (including as cover for deeper intrusions), data leaks from prior exfiltration, and aggressive social engineering** (e.g., fake job offers and malicious attachments). Likely target sets highlighted include **critical infrastructure**, **banking**, and environments involving **industrial control systems/PLCs**, with emphasis on disciplined execution of security fundamentals (patching, log review, and tighter email/attachment handling) rather than overreliance on automation. Separately, **MuddyWater** (*Seedworm*), an Iran-linked APT, was reported active in multiple U.S. organizations since early Feb. 2026, with activity increasing after the strikes. Symantec and Carbon Black researchers described targeting that included a **U.S. bank**, an **airport**, a **non-profit**, and the **Israel operation of a U.S. software company** supplying the defense/aerospace sector, and identified a previously unknown backdoor, **Dindoor**, observed in several victims; **Dindoor executes via `Deno`** (a JavaScript/TypeScript runtime). Commentary in the reporting also warned to assume potential **pre-positioning** in high-value targets and recommended proactive hunting for signs of persistent access before activation.
1 months ago