ZionSiphon: the threat to water infrastructure that could sabotage the water you consume

In recent weeks, the security community has turned on the alarms after finding a malware family that, because of its design and the conditions it imposes to activate, seems specifically oriented to a country's water infrastructure. The signature that baptized him as ZionSiphon detected that the code seeks persistence in compromised machines, manipulates local configuration files and explores the local network in search of industrial services and equipment, a pattern that clearly places him in the field of threats to industrial operating systems (OT).

According to public records and shared metadata on sample analysis platforms, the first instance of this binary appeared in VirusTotal in late June 2025, shortly after a regional war episode. Researchers stress that malware is not a generic weapon: it contains geographical checks based on IPv4 ranges defined within Israel and also inspects specific elements of the environment to ensure that the malicious load only runs in water treatment and desalination facilities. That double filter - location and operating context - is what makes ZionSiphon more than just a Trojan: it is a tool designed to attack a specific critical infrastructure. For consultations on the sample and its traceability, the community often uses repositories such as VirusTotal, while the company that gave visibility to the case offers more context on its corporate website Darktrace.

From a technical point of view, ZionSiphon integrates several modules: the escalation of privileges, persistence mechanisms, the ability to spread through removable means and functions to sound and communicate with usual protocols in industrial environments, such as Modbus, DNP3 and S7comm. In particular, the analysis indicates that the Modbus-oriented segment is more advanced, while the implementation for DCP3 and S7comm are still immature. Their sabotage action, according to the analysis, is directed to specific parameters such as chlorine doses and pressure-associated variables, that is, to manipulate adjustments that in the real world could degrade potification or desalination processes. To understand the importance and peculiarities of these protocols in industrial environments, you can see the documentation and alerts published by the US agency responsible for industrial cybersecurity: CISA - Industrial Control Systems.

Another striking feature is the incorporation of political messages into the binary and the logic of self-destruction: if the committed equipment does not meet the conditions of country or operational environment, the code runs a routine to be deleted. This behavior may indicate that developers sought to minimize noise and detection outside the intended target, or that it is an incomplete or deliberately deactivated version to prevent it from falling into the hands of others during their test phase. The presence of specific strings and checks suggests an actor who experiences with multi-protocol manipulation of OT environments and with inherited propagation vectors such as USB devices.

The appearance of ZionSiphon does not come in isolation. In parallel, security providers have published research on other tools that reflect worrying trends in the repertoire of the attackers: a Node.js-based implant detected by Blackpoint Cyber functions as an inverse tunnel over WebSockets to turn a committed machine into a relay from which to pivote internally without the need for incoming listeners; its design aims to mimic legitimate traffic and maintain persistence with low profile. The company itself that reported this implant offers technical details on its outreach channel, useful to understand how attackers use seemingly benign technologies to draw perimeters: Blackpoint Cyber - blog.

In addition, the industry has seen sophisticated cases of backdoors that use internal virtual machines to hover their logic and make forensic analysis difficult. A recent example described by researchers from a large cyber-security firm explains a three-phase scheme: a charger that is installed as a legitimate component of Windows, a routine that decrypt configuration from the registry and a virtual machine engine that interprets a bytecode blob to assemble the real payload, which is communicated in an apparently harmless way with remote servers. This type of technique raises the bar: it is no longer enough to detect suspicious binaries, because the malicious code can reside within layers that seem harmless and behave in a polymorphic way. Information on this investigation and the context of the threat is often published on the channels of the companies themselves, such as the research section of the Digital Gen.

What do these findings tell us about the threat to critical infrastructure? First, that political or geo-strategic actors are investing in tools that combine OT network exploration, manipulation of industrial parameters and infiltration mechanisms that respect geographical or environmental barriers. Secondly, that the techniques used today - reverse tuning on web protocols, internal virtual machines, propagation by removable means - are inherited from previous campaigns but adapted and mixed in new ways. The result is a picture in which treatment plants and desalination plants, which often operate with old equipment and availability priorities above safety, become critical and vulnerable. To have historical context about attacks on industrial infrastructure, you can see the analysis of emblematic incidents, such as Stuxnet, that illustrate how physical damage can become a target by malware: Symantec - Stuxnet.

From operational practice, countermeasures are not trivial but there are measures that significantly reduce risk: segmentation of OT networks and clear separation between corporate and control environments, strict control of removable and political means for their use, continuous monitoring of industrial protocols and changes in critical parameters, as well as collaboration between operators, regulators and the intelligence community on threats to share indicators and techniques. The cyberdefence of critical infrastructure requires both good technological practices and dedicated organizational will and resources. The guides and recommendations of agencies such as the CISA are useful as a reference for operators and safety officials.

Finally, it is important to remember that mere detection of samples and routines does not always allow a certain attribute of an attack: the use of political messages, the level of malware development and functional tests can indicate from a state-led campaign to experimental group developments testing capabilities. Meanwhile, those responsible for water plants, desalers and other critical infrastructure should take these findings as an urgent reminder: attackers not only seek data, they can also try to alter physical processes, and surveillance, isolation and prepared response are the best vaccine against that risk.