CYBERSECURITY researchers have flagged ZionSiphon, a new malware suite that appears designed to target Israeli water treatment and desalination OT systems. According to Darktrace, the malware is capable of persistence, tampering with local configuration files, and scanning for OT-relevant services on the local subnet, with a focus on Israel. VirusTotal records the sample as first detected in the wild on 29 June 2025, shortly after the Twelve-Day War between Iran and Israel.
ZionSiphon combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls, and it targets a specific set of IPv4 ranges within Israel: 2.52.0[.]0–2.55.255[.]255, 79.176.0[.]0–79.191.255[.]255, and 212.150.0[.]0–212.150.255[.]255.
The malware identifies devices on the local subnet, attempts Modbus, DNP3, and S7comm communications, and can propagate via removable media, with some components described as still unfinished or partially functional.