ZionSiphon Malware Analysis: A Developer Build Targeting Israeli Water Infrastructure
Hackers are currently experimenting with a new form of malware, designated as “ZionSiphon”, which is specifically engineered to compromise Israeli desalination and water treatment facilities. However, the current sample under analysis represents a developmental or faulty build rather than a fully operational weapon. The malware demonstrates a clear ideological motivation, although it lacks the sophistication to be considered a mature threat.
Geographic Targeting and Obfuscation Techniques
The binary performs IP range validation by checking for IPv4 addresses within specific subnets, including:
2.52.0.0 – 2.55.255.25579.176.0.0 – 79.191.255.255212.150.0.0 – 212.150.255.255
All these IP ranges are geolocated to Israeli network infrastructure, suggesting an explicit targeting mechanism designed to restrict execution to hosts located within Israel.

Additionally, the malware embeds Base64-encoded strings that contain ideological messaging, referencing support for Iran, Palestine, and Yemen “against Zionist aggression” and expressing a desire to “poison the population of Tel Aviv and Haifa.” This strongly indicates that the actor is ideologically driven rather than financially motivated.
Desalination-Themed Target Discovery
ZionSiphon’s targeting logic extends beyond simple geographic checks, incorporating environment-specific verification to ensure that the target system is part of an industrial control environment related to water treatment and desalination. The malware includes a function named IsDamDesalinationPlant(), which scans running processes for terms such as:
DesalPLCReverseOsmosisChlorineCtrlWaterPLCSeaWaterRO
These are standard terms used in industrial control systems managing reverse osmosis and chlorine dosing processes. Furthermore, it searches for specific directories and configuration files such as:
C:\Program Files\DesalinationC:\Program Files\Water TreatmentC:\ROConfig.iniC:\ChlorineControl.datC:\SalinityControl.ini
This granular targeting ensures that execution occurs only on systems that manage desalination or water treatment operations. The internal target list also references Israel’s national water infrastructure, including:
- Mekorot (Israel’s national water company)
- Sorek, Hadera, Ashdod, Palmachim desalination plants
- Shafdan wastewater facility
The malware also references Israeli city Dimona and uses the handle “0xICS”, indicating clear intentions to target Operational Technology (OT) environments with anti-Israel messaging.
Malware Behavior: Persistence and Propagation
From an IT perspective, ZionSiphon operates like a typical Windows malware loader. It includes a function RunAsAdmin() that checks for administrative privileges. If not running as admin, it relaunches itself via PowerShell using:
Start-Process -Verb RunAs
Persistence is achieved through a stealthy user-level autorun entry located under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The malware copies itself into a hidden directory under %LOCALAPPDATA% with the filename svchost.exe and registers a startup entry named SystemHealthCheck.
To propagate across isolated OT segments, the malware implements a removable-media exploitation technique. It copies itself to USB drives as a hidden file named svchost.exe and replaces visible files with .lnk shortcuts, which silently execute the malware when clicked.

OT Scanning and Sabotage Mechanisms
If a system passes initial geolocation and environment checks, ZionSiphon attempts to manipulate configuration files associated with chlorine dosage and reverse osmosis pressure. The function IncreaseChlorineLevel() appends fixed parameters such as:
Chlorine_Dose=10Chlorine_Pump=ONChlorine_Flow=MAXChlorine_Valve=OPENRO_Pressure=80
These values could lead to unsafe operating conditions in a desalination system if consumed by industrial controllers. If no suitable configuration files are detected, the malware proceeds to network-based discovery.
It performs subnet scanning on the local /24 network, probing TCP ports 502 (Modbus), 20000 (DNP3), and 102 (S7comm). Devices responding with expected protocols are categorized as ICS endpoints, and protocol-specific checks are performed to determine whether they contain configurable parameters such as chlorine dose or turbine control registers.
For example, the Modbus protocol is probed using:
Read Holding Registers (Function 3)to read registers 1–10- Write Single Register (Function 6) to force values like
Chlorine_Dose = 100orOther_Parameters = 0
Despite this complex targeting and manipulation framework, the current sample contains several critical flaws that prevent actual sabotage:
- The country validation function
IsTargetCountry()is broken due to incorrect encoding logic. - The malware hardcodes an encryption string
Nqvbdk, but compares it against the result of a flawed XOR encryption of the stringIsraelusing a key of 5 — a mismatch that always fails the validation.

When validation fails, the malware invokes a SelfDestruct() routine that removes persistence mechanisms and deletes the executable through a batch script that repeatedly attempts deletion.
Further inspection reveals that the DNP3 and S7comm protocol handling modules appear to be stubs or incomplete implementations, containing only short byte sequences without valid protocol frames or operations.
Darktrace analysts conclude that the current ZionSiphon sample is not a fully functional attack tool but a developmental or defanged prototype. Nonetheless, it serves as a strong indicator of future offensive intent, revealing a clearly defined roadmap for:
- Multi-protocol ICS manipulation capabilities
- Ideologically motivated sabotage of Israeli desalination infrastructure
- Stealthy persistence mechanisms within OT networks
This threat underscores the growing concern around targeted OT attacks and the increasing sophistication of politically motivated cyber threats affecting critical infrastructure in regions like the Middle East.