The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

ZionSiphon: OT-Focused Malware Highlights Emerging Risk to Water Infrastructure Systems

Apr 24, 2026 3:01:13 PM / by The Hivemind

ZIONSIPHONVerticals Targeted: Water, Critical Infrastructure
Regions Targeted: Israel

Executive Summary

ZionSiphon is an OT-focused malware sample designed to identify and interact with water treatment and desalination environments. It was used to target water treatment systems in Israel. Although the analyzed version appears partially non-functional, it demonstrates ICS-aware targeting, industrial protocol interaction, and politically motivated intent. The sample provides insight into evolving adversary interest in manipulating systems that underpin critical infrastructure operations.

Key Takeaways

  • ZionSiphon is an OT-aware malware sample designed to identify and interact with water treatment and desalination systems, including ICS components associated with chlorine dosing and process control.
  • The malware demonstrates partial implementation of industrial protocol interaction, particularly Modbus, with additional but incomplete support for DNP3 and S7comm, indicating ongoing development.
  • Embedded messaging and targeting logic indicate politically motivated intent focused on Israeli infrastructure, though there is no confirmed attribution to a specific threat actor or state-sponsored group.
  • A critical flaw in the malware’s targeting validation prevents successful execution in its current form, suggesting the analyzed sample is incomplete, misconfigured, or not yet operationally deployed.

Overview

ZionSiphon represents a developing class of malware designed to operate at the intersection of enterprise IT systems and operational technology (OT) environments. The sample combines common endpoint techniques, including persistence and privilege escalation, with logic specifically intended to identify industrial control systems (ICS) associated with water treatment and desalination processes. Darktrace recently reported on this activity.

The malware incorporates environment-aware controls that restrict execution to intended targets. These include geographic filtering tied to specific IP ranges and system-level checks for indicators consistent with industrial water infrastructure. This approach reflects a shift away from broad, opportunistic malware deployment toward more selective targeting of operational environments.

While the current sample contains implementation flaws that prevent full execution, its structure demonstrates how adversaries may attempt to stage access within IT environments and transition toward OT system interaction.

Technical Details

ZionSiphon uses a layered targeting approach that combines geographic filtering with environment validation. The malware evaluates whether the host system falls within predefined IP ranges associated with Israeli networks and then checks for indicators of water treatment or desalination systems. These checks include process names, directory paths, and configuration files tied to industrial operations such as reverse osmosis control and chlorine dosing. This dual validation model indicates an attempt to ensure that the malware activates only within specific operational environments.

Persistence is established through standard user-level mechanisms. The malware copies itself to a concealed location within the local application data directory, adopts a filename associated with legitimate Windows processes, and creates an autorun entry in the registry. It attempts to elevate privileges using PowerShell to re-execute with administrative rights. These techniques are consistent with common intrusion tradecraft and are sufficient to maintain access within enterprise systems that interface with operational environments.

The malware includes a network discovery component designed to identify industrial devices on the local subnet. It scans a /24 network range and probes ports associated with Modbus, DNP3, and S7comm protocols. Connection attempts are performed in parallel with short timeouts, allowing rapid identification of responsive systems. Basic validation logic is used to confirm protocol responses, indicating partial familiarity with industrial communication standards.

ZionSiphon also contains functionality intended to interact with industrial processes. The malware searches for configuration files associated with chlorine dosing, pressure regulation, and flow control. When such files are identified, it appends values that would alter system behavior, including increasing chlorine levels and forcing operational states for pumps and valves. In addition, the malware implements Modbus communication routines that read register values and attempt to write modified values back to the system. This indicates an intent to influence process-level parameters within water treatment environments.

Support for additional industrial protocols is present but incomplete. Code fragments related to DNP3 and S7comm contain elements of valid protocol structures but lack the necessary components to form functional commands. This uneven implementation suggests that the malware was still under development, with only limited functionality reaching partial completion.

The malware also includes removable media propagation. It copies itself to connected drives, creates shortcut files that execute the payload, and hides legitimate files to increase the likelihood of user interaction. This propagation method may enable movement across segmented or restricted networks where direct network-based spread is limited.

A critical flaw prevents the malware from successfully validating its intended targets. The geographic validation logic compares mismatched encoded values, resulting in consistent failure of the targeting condition. When this occurs, the malware initiates a self-removal routine that deletes persistence mechanisms, logs the failed validation, and removes the executable. This behavior indicates that the analyzed sample is likely incomplete, misconfigured, or not intended for operational deployment in its current form.

Attribution and Motivation

ZionSiphon contains embedded strings expressing support for Iran, Palestine, and Yemen, along with messaging referencing Israeli targets. These strings are encoded within the binary and, when decoded, reflect ideological alignment with anti-Israel narratives.

The combination of this messaging with targeting logic focused on Israeli infrastructure indicates that the malware was developed within a specific geopolitical context. However, there is no evidence directly linking the sample to an Iran-affiliated threat actor or any known state-sponsored campaign.

Based on available evidence, the activity is best assessed as politically motivated. While the targeting and embedded narratives are consistent with regional tensions, there is insufficient information to associate the sample with a specific threat group or coordinated operation.

Analyst Commentary

ZionSiphon reflects continued experimentation with malware designed to interact with operational technology systems that support critical infrastructure. Although the current sample is not fully functional, its design demonstrates an intent to move beyond traditional IT compromise and toward interaction with systems that control physical processes.

ZionSiphon potentially aligns with broader patterns previously noted in PolySwarm reporting on PLC-focused threats that may escalate in relation to the ongoing military conflict in Iran. In particular, this activity reflects continued interest in operational technology environments, as highlighted in our prior threat bulletin entitled Iran-Linked PLC Exploitation Expands Across US Critical Infrastructure. While ZionSiphon has not been attributed to a particular threat actor group, the sample’s messaging and targeting are consistent with regional geopolitical tensions.

For public sector and critical infrastructure operators, the relevance lies not in the immediate operational capability of this specific sample, but in the direction it represents. The integration of environment-aware targeting, industrial protocol interaction, and process-level manipulation logic indicates growing interest in capabilities that could affect water treatment and similar systems. Defensive strategies should account for threats that originate in IT environments but are designed to identify and interact with OT systems. Visibility across both domains is essential for early detection of such activity.

PolySwarm supports this need by enabling organizations to submit and search artifacts across a marketplace of independent security engines. These engines analyze samples and return verdicts and associated metadata, which are aggregated into a unified PolyScore. By leveraging multiple independent detection approaches, this model can increase the likelihood of identifying malicious or anomalous artifacts, including those that may have limited coverage in traditional detection pipelines.

IOCs

PolySwarm has a sample of ZionSiphon.

 

07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f


Click here to view all samples of ZionSiphon in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Cobalt Strike, SystemBC, Emerging Threat, lateral movement, post-exploitation, enterprise compromise, GPO abuse, proxy malware, credential access, TheGentlemen

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More