A newly identified malware strain designed to interact with operational technology (OT) systems has been analysed by security researchers, revealing capabilities aimed at water treatment and desalination infrastructure. The malware, named ZionSiphon and discovered by Darktrace, combines traditional endpoint compromise techniques with functions tailored to industrial control systems.
According to Darktrace, it includes privilege escalation, persistence mechanisms and USB-based propagation, with targeting logic closely aligned to the water sector. The analysed sample contains hardcoded references to desalination plants and wastewater systems, alongside checks for software linked to reverse osmosis and chlorine control, suggesting it is designed to activate only when specific geographic and environmental conditions are met.
It also embeds politically charged messages and restricts execution to IP ranges associated with Israel, though these strings do not influence execution. Darktrace observed a network discovery routine that scans local subnets for ICS devices and probes Modbus, DNP3 and S7comm, attempting to identify responsive systems for interaction, with Modbus functionality being the most developed.