top of page
perceptive_background_267k.jpg

ZionSiphon malware designed to sabotage water treatment systems

Published:

16 april 2026 om 22:04:53

Alert date:

16 april 2026 om 23:01:38

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Critical Infrastructure

A new malware called ZionSiphon has been discovered specifically designed for operational technology environments. The malware targets water treatment and desalination facilities with the intent to sabotage their operations. This represents a significant threat to critical infrastructure as water treatment systems are essential for public safety and health. The malware is designed to operate within industrial control systems and operational technology networks. Given the critical nature of water infrastructure, this malware poses serious risks to public utilities and communities that depend on these systems.

Technical details

ZionSiphon is operational technology malware targeting water treatment and desalination systems. It checks if the host IP falls within Israeli ranges and verifies presence of water/OT-related software. The malware contains a function called 'IncreaseChlorineLevel()' that appends configuration blocks to maximize chlorine dose and flow with entries like 'Chlorine_Dose=10', 'Chlorine_Pump=ON', 'Chlorine_Flow=MAX', 'Chlorine_Valve=OPEN', and 'RO_Pressure=80'. It scans for Modbus, DNP3, and S7comm protocols but only has partially functional Modbus code. Features USB propagation mechanism copying itself as hidden 'svchost.exe' and creates malicious shortcuts. Currently non-functional due to XOR mismatch in country verification logic causing self-destruct instead of payload execution.

Mitigation steps:

Monitor for USB propagation activities, detect unauthorized modifications to water treatment configuration files, implement network monitoring for industrial protocol scanning (Modbus, DNP3, S7comm), watch for suspicious svchost.exe processes on removable drives, and implement proper air-gapping controls for critical infrastructure systems.

Affected products:

Water treatment systems
Desalination systems
Industrial Control Systems (ICS)
Reverse osmosis systems
Chlorine control systems

Related links:

https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems

Related CVE's:

Related threat actors:

IOC's:

svchost.exe (hidden process on removable drives), Malicious shortcut files on USB drives, Configuration file modifications with chlorine control parameters, Scanning for Modbus, DNP3, and S7comm protocols

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page