A newly identified malware strain designed to interact with operational technology (OT) systems has been analyzed by security researchers, revealing capabilities aimed at water treatment and desalination infrastructure.
The malware, named ZionSiphon and discovered by Darktrace, combines traditional endpoint compromise techniques with functions tailored to industrial control systems (ICS).
In an advisory published last week, the researchers found that the malware includes privilege escalation, persistence mechanisms and USB-based propagation. Its targeting logic closely aligns with the water sector.
The analyzed sample contains hardcoded references to infrastructure components such as desalination plants and wastewater systems, alongside checks for software linked to reverse osmosis and chlorine control. These indicators suggest the malware is designed to activate only when both geographic and environmental conditions are met.
In addition to system checks, the malware embeds politically charged messages and restricts execution to IP ranges associated with Israel. While these strings do not influence execution, they provide insight into the likely motivations behind the campaign.
Sabotage Functions and ICS Network Scanning
Once deployed in a qualifying environment, the malware attempts to manipulate local configuration files tied to industrial processes. It appends predefined values related to chlorine dosing and system pressure, which could disrupt water treatment operations if successfully applied.
The code also includes a network discovery routine that scans local subnets for ICS devices. It probes common industrial protocols, including Modbus, DNP3 and S7comm, attempting to identify responsive systems and classify them for further interaction.
Read more on OT cyber threats: Significant Rise in Ransomware Attacks Targeting Industrial Operations
Darktrace observed that the Modbus-related functionality is the most developed, allowing the malware to read and potentially modify register values. However, implementations for DNP3 and S7comm appear incomplete, suggesting partial development or testing stages.
Key capabilities identified include:
-
Subnet-wide scanning for ICS devices using common OT protocols
-
Attempts to modify chlorine dosing and pressure parameters
-
Propagation via removable media using disguised executables
-
Persistence through registry modifications and hidden file placement
Despite these features, the analyzed sample contains a flaw in its country validation logic, preventing it from correctly identifying intended targets. As a result, the malware may fail to activate its payload and instead trigger a self-deletion routine.
Indicators of Early-Stage OT Malware Development
The incomplete elements within ZionSiphon point to a tool still under development or not fully operational at the time of analysis. Errors in execution logic and partially implemented protocol support limit its immediate effectiveness.
Even so, the structure of the malware reflects a growing interest among threat actors in developing tools capable of interacting directly with industrial processes.
Its combination of IT-based infection methods and OT-specific targeting illustrates an evolving approach to critical infrastructure attacks.
While this version may not pose an immediate operational threat, it demonstrates how adversaries are experimenting with techniques that could, in more mature forms, disrupt physical systems and essential services.
