You know that feeling when you read about a new malware, and your stomach drops? This is one of those moments.

Security researchers have uncovered a new strain of malware called ZionSiphon. It's not your average ransomware or info‑stealer. This one is specifically designed to sabotage water treatment and desalination plants – the kind of facilities that keep drinking water safe and flowing to millions of people.

The malware can manipulate chlorine levels and hydraulic pressure, potentially causing equipment damage or public health risks. While the current sample is non‑functional due to a coding error, its architecture provides a chilling blueprint for future attacks.

What is ZionSiphon?

Darktrace, an AI‑powered cybersecurity company, recently analyzed a malware sample that identifies itself as ZionSiphon. The malware combines several familiar host‑based capabilities – privilege escalation, persistence, and USB propagation – with targeting logic specifically themed around water treatment and desalination environments.

What makes ZionSiphon different is its intent. This isn't about stealing data or demanding ransom. This is about causing physical harm. The malware is designed to:

As Darktrace's VP of Security & AI Strategy, Nathaniel Jones, noted: "ZionSiphon shows a shift in the OT threat landscape: malware capable of targeting industrial processes is no longer exclusive to highly resourced nation‑state programs like Stuxnet or Industroyer."

How It Works (The Technical Side)

ZionSiphon's code reveals several alarming capabilities, even if some aren't fully implemented yet.

Targeted Environmental Checks

Before executing any payload, the malware checks whether it's running in the right environment. It scans the host's IP address against hardcoded Israeli ranges – including 2.52.0.0-2.55.255.255, 79.176.0.0-79.191.255.255, and 212.150.0.0-212.150.255.255. It also looks for water‑related software and configuration files to ensure it's inside a water treatment or desalination facility.

This level of targeting suggests the attacker wants to avoid collateral damage and focus specifically on Israeli water infrastructure.

The Chlorine Sabotage Function

The most alarming function is named IncreaseChlorineLevel(). When triggered, it appends malicious instructions to existing configuration files. Here is what the attacker‑intended configuration looks like:

⚠️ MALICIOUS EXAMPLE – DO NOT EXECUTE ⚠️ 
Chlorine_Dose=10
Chlorine_Pump=ON
Chlorine_Flow=MAX
Chlorine_Valve=OPEN
RO_Pressure=80
Example of attacker‑intended configuration – not a functional script. Provided for educational analysis only.

These settings would push chlorine levels to the maximum physically supported by the plant's mechanical systems – potentially making water unsafe for consumption and damaging equipment.

ICS Protocol Scanning

ZionSiphon also scans local subnets for industrial control protocols, including Modbus, DNP3, and S7comm – the backbone of global industrial infrastructure. While only Modbus has partially functional code, the inclusion of these protocols shows clear intent to interact directly with programmable logic controllers (PLCs).

USB Propagation for Air‑Gapped Systems

Like Stuxnet before it, ZionSiphon includes USB propagation mechanisms. It copies itself to removable drives as a hidden svchost.exe process and creates malicious shortcut files. This is crucial for reaching air‑gapped systems – those not connected to the internet – which are common in critical infrastructure environments.

As Darktrace notes, "USB propagation is key in critical infrastructure systems, where computers that manage security‑critical functions are often 'air‑gapped,' meaning they are not directly connected to the internet."

The One Thing Saving Us (For Now)

Here's the good news: ZionSiphon doesn't actually work. Not yet, anyway.

Darktrace discovered a critical flaw in the malware's encryption logic – an XOR mismatch in the country verification mechanism. Instead of executing its payload, the broken validation triggers a self‑destruct sequence, rendering the malware harmless in its current form.

But here's the bad news: all it takes to unlock ZionSiphon's destructive potential is fixing that minor verification error. One small code change, and this blueprint becomes a weapon.

As one researcher put it, "While ZionSiphon isn't operational in its current version, its intent and potential for damage are concerning, and all that's needed to unlock both is to fix a minor verification error."

Political Motivations: The Ideological Driver

The malware's political messaging leaves little doubt about its intended target and motivation.

Embedded in the binary are two Base64‑encoded strings. The first decodes to: "In support of our brothers in Iran, Palestine, and Yemen against Zionist aggression. I am '0xICS'."

The second is even more chilling: "Poisoning the population of Tel Aviv and Haifa."

The malware also includes hardcoded references to Israeli water infrastructure components – Mekorot (Israel's national water company), Sorek, Hadera, Ashdod, Palmachim, and Shafdan. Sorek, Hadera, Ashdod, and Palmachim are four of Israel's five major seawater desalination plants.

While these strings don't serve any operational purpose, they offer a clear indication of the attacker's motivations. This isn't financially motivated crime – this is ideologically driven sabotage.

This follows a pattern of escalating cyber skirmishes between Iran and Israel. In April 2026, an Iran‑based hacking group attempted to breach an Israeli water supply system, intending to raise chlorine levels. Israeli water installation plants faced minor disruptions between April 24 and 25, according to Ynet news service.

Why This Matters Beyond Israel

ZionSiphon specifically targets Israeli infrastructure, but the implications are global. The protocols it scans – Modbus, DNP3, and S7comm – are the backbone of industrial control systems worldwide. A tool developed for one region can be easily adapted for another.

As Darktrace's Nathaniel Jones warned: "This shows that OT attack concepts are now within reach of much smaller threat actors and hacktivists. ZionSiphon is an example of how ideologically motivated actors with relatively modest resources are beginning to experiment with direct interaction with industrial systems."

According to a recent Securin Cyber Threat Intelligence Report, the water sector has shifted from a "soft target to an active battlefield." The report identified 1,807 vulnerabilities affecting water and wastewater systems, with a 15% year‑over‑year growth in CVEs – many linked to nation‑state actors and ransomware operations.

And it's not just Israel. In early April 2026, CISA issued an urgent advisory warning that Iranian‑affiliated APT actors are actively exploiting internet‑facing programmable logic controllers (PLCs) across US critical infrastructure sectors, including water, energy, and government services. These actors have caused operational disruptions and financial losses through malicious interactions with PLCs and manipulation of SCADA displays.

If you're responsible for OT security anywhere in the world, ZionSiphon is a wake‑up call. The attackers are experimenting. They're learning. And eventually, they'll get it right.

What You Can Do Right Now

ZionSiphon isn't functional yet, but that's no excuse to wait. Here's what OT security teams and critical infrastructure operators should do immediately.

🔴 Immediate Actions (Today)

🟠 This Week

🟢 Long‑Term

External Resources

Related Reading on ThreatAft

The Bottom Line

ZionSiphon is a warning shot. It's not fully functional, but it reveals where attackers are heading. The convergence of IT and OT networks, combined with increasing geopolitical tensions, means that attacks on critical infrastructure are no longer theoretical – they're being actively developed.

Don't wait for the next version that actually works. Review your OT security posture today. Test your offline backups. Segment your networks. And for goodness' sake, change those default passwords.

Stay vigilant. And maybe keep a manual override handy.

Written by: ThreatAft Security Team – Specialising in OT/ICS threat intelligence and critical infrastructure security.