ZionSiphon Malware Analysis: A Developer Build Targeting Israeli Water Infrastructure

Hackers are currently experimenting with a new form of malware, designated as “ZionSiphon”, which is specifically engineered to compromise Israeli desalination and water treatment facilities. However, the current sample under analysis represents a developmental or faulty build rather than a fully operational weapon. The malware demonstrates a clear ideological motivation, although it lacks the sophistication to be considered a mature threat.

Geographic Targeting and Obfuscation Techniques

The binary performs IP range validation by checking for IPv4 addresses within specific subnets, including:

  • 2.52.0.0 – 2.55.255.255
  • 79.176.0.0 – 79.191.255.255
  • 212.150.0.0 – 212.150.255.255

All these IP ranges are geolocated to Israeli network infrastructure, suggesting an explicit targeting mechanism designed to restrict execution to hosts located within Israel.

The malware obfuscates the IP ranges by encoding them in Base64 (Source : Darktrace).
The malware obfuscates the IP ranges by encoding them in Base64 (Source : Darktrace).

Additionally, the malware embeds Base64-encoded strings that contain ideological messaging, referencing support for Iran, Palestine, and Yemen “against Zionist aggression” and expressing a desire to “poison the population of Tel Aviv and Haifa.” This strongly indicates that the actor is ideologically driven rather than financially motivated.

Desalination-Themed Target Discovery

ZionSiphon’s targeting logic extends beyond simple geographic checks, incorporating environment-specific verification to ensure that the target system is part of an industrial control environment related to water treatment and desalination. The malware includes a function named IsDamDesalinationPlant(), which scans running processes for terms such as:

  • DesalPLC
  • ReverseOsmosis
  • ChlorineCtrl
  • WaterPLC
  • SeaWaterRO

These are standard terms used in industrial control systems managing reverse osmosis and chlorine dosing processes. Furthermore, it searches for specific directories and configuration files such as:

  • C:\Program Files\Desalination
  • C:\Program Files\Water Treatment
  • C:\ROConfig.ini
  • C:\ChlorineControl.dat
  • C:\SalinityControl.ini

This granular targeting ensures that execution occurs only on systems that manage desalination or water treatment operations. The internal target list also references Israel’s national water infrastructure, including:

  • Mekorot (Israel’s national water company)
  • Sorek, Hadera, Ashdod, Palmachim desalination plants
  • Shafdan wastewater facility

The malware also references Israeli city Dimona and uses the handle “0xICS”, indicating clear intentions to target Operational Technology (OT) environments with anti-Israel messaging.

Malware Behavior: Persistence and Propagation

From an IT perspective, ZionSiphon operates like a typical Windows malware loader. It includes a function RunAsAdmin() that checks for administrative privileges. If not running as admin, it relaunches itself via PowerShell using:

Start-Process -Verb RunAs

Persistence is achieved through a stealthy user-level autorun entry located under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

The malware copies itself into a hidden directory under %LOCALAPPDATA% with the filename svchost.exe and registers a startup entry named SystemHealthCheck.

To propagate across isolated OT segments, the malware implements a removable-media exploitation technique. It copies itself to USB drives as a hidden file named svchost.exe and replaces visible files with .lnk shortcuts, which silently execute the malware when clicked.

The “IsElevated” function as seen in the sample (Source : Darktrace).
The “IsElevated” function as seen in the sample (Source : Darktrace).

OT Scanning and Sabotage Mechanisms

If a system passes initial geolocation and environment checks, ZionSiphon attempts to manipulate configuration files associated with chlorine dosage and reverse osmosis pressure. The function IncreaseChlorineLevel() appends fixed parameters such as:

  • Chlorine_Dose=10
  • Chlorine_Pump=ON
  • Chlorine_Flow=MAX
  • Chlorine_Valve=OPEN
  • RO_Pressure=80

These values could lead to unsafe operating conditions in a desalination system if consumed by industrial controllers. If no suitable configuration files are detected, the malware proceeds to network-based discovery.

It performs subnet scanning on the local /24 network, probing TCP ports 502 (Modbus), 20000 (DNP3), and 102 (S7comm). Devices responding with expected protocols are categorized as ICS endpoints, and protocol-specific checks are performed to determine whether they contain configurable parameters such as chlorine dose or turbine control registers.

For example, the Modbus protocol is probed using:

  • Read Holding Registers (Function 3) to read registers 1–10
  • Write Single Register (Function 6) to force values like Chlorine_Dose = 100 or Other_Parameters = 0

Despite this complex targeting and manipulation framework, the current sample contains several critical flaws that prevent actual sabotage:

  • The country validation function IsTargetCountry() is broken due to incorrect encoding logic.
  • The malware hardcodes an encryption string Nqvbdk, but compares it against the result of a flawed XOR encryption of the string Israel using a key of 5 — a mismatch that always fails the validation.
The “EncryptDecrypt” function (Source : Darktrace).
The “EncryptDecrypt” function (Source : Darktrace).

When validation fails, the malware invokes a SelfDestruct() routine that removes persistence mechanisms and deletes the executable through a batch script that repeatedly attempts deletion.

Further inspection reveals that the DNP3 and S7comm protocol handling modules appear to be stubs or incomplete implementations, containing only short byte sequences without valid protocol frames or operations.

Darktrace analysts conclude that the current ZionSiphon sample is not a fully functional attack tool but a developmental or defanged prototype. Nonetheless, it serves as a strong indicator of future offensive intent, revealing a clearly defined roadmap for:

  • Multi-protocol ICS manipulation capabilities
  • Ideologically motivated sabotage of Israeli desalination infrastructure
  • Stealthy persistence mechanisms within OT networks

This threat underscores the growing concern around targeted OT attacks and the increasing sophistication of politically motivated cyber threats affecting critical infrastructure in regions like the Middle East.

Related Articles

Back to top button