OT-Focused Malware Highlights Emerging Risk to Water Infrastructure Systems

April 28, 2026, 2:05 p.m.

Description

ZionSiphon is operational technology-focused malware targeting water treatment and desalination facilities in Israel. The sample demonstrates ICS-awareness through industrial protocol interaction capabilities including Modbus, with incomplete support for DNP3 and S7comm. It incorporates geographic and environmental validation controls designed to restrict execution to Israeli water infrastructure systems. The malware attempts persistence through registry autorun entries, privilege escalation, and removable media propagation. Functionality includes network discovery of industrial devices, process manipulation targeting chlorine dosing and flow control, and configuration file modification. A critical validation flaw prevents successful execution, suggesting the analyzed sample represents incomplete development or testing. Embedded pro-Iran and anti-Israel messaging indicates politically motivated intent, though no specific threat actor attribution exists.

External References

https://otx.alienvault.com/pulse/69f06bcd55d11c96e260dbdd
https://blog.polyswarm.io/zionsiphon-ot-focused-malware-highlights-emerging-risk-to-water-infrastructure-systems
Tags
modbus
2026-04-28
chlorine_dosing
desalination
dnp3
geographic_filtering
ics_targeting
process_control
removable_media_propagation
s7comm
water_treatment
zionsiphon

Date

  • Created: April 28, 2026, 8:11 a.m.
  • Published: April 28, 2026, 8:11 a.m.
  • Modified: April 28, 2026, 2:05 p.m.

Indicators

  • 07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f
Download all indicators here!

Attack Patterns

  • ZionSiphon

Additional Informations

  • Israel