CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ZionSiphon OT malware targeting Israeli water infrastructure; sabotage logic identified

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new operational technology (OT)-focused malware named ZionSiphon has been identified with capabilities to manipulate water treatment and desalination systems in Israel. The malware contains sabotage logic designed to increase chlorine levels to dangerous concentrations and adjust hydraulic pressures via a function named 'IncreaseChlorineLevel().' It also includes a flawed encryption-based validation mechanism that currently prevents execution, triggering a self-destruct routine instead. Targeting is confirmed by IP range checks and OT software detection, though an XOR-based logic error causes these checks to fail. The malware’s current iteration remains non-functional, but researchers warn that a minor fix could activate its destructive payload.

Timeline

  1. 17.04.2026 01:04 1 articles · 2h ago

    ZionSiphon OT malware discovered with sabotage logic for Israeli water systems

    Researchers identified ZionSiphon, a malware designed to sabotage water treatment and desalination systems in Israel. The malware includes sabotage functions to increase chlorine levels to hazardous levels and adjust pressures via 'IncreaseChlorineLevel().' Current release contains a validation flaw (XOR mismatch) that triggers self-destruction, preventing execution. The malware also features USB propagation and ICS protocol scanning (Modbus, DNP3, S7comm) though only partial Modbus functionality is implemented. Sabotage logic targets OT configuration files and system mechanics to maximize operational impact.

    Show sources
    Open in new tab

Information Snippets

  • ZionSiphon targets water treatment and desalination systems in Israel by checking host IP ranges and presence of OT-related software/files.

    First reported: 17.04.2026 01:04
    1 source, 1 article
    Show sources

  • The malware contains a sabotage function 'IncreaseChlorineLevel()' that appends configuration blocks to OT system files to maximize chlorine dose ('Chlorine_Dose=10', 'Chlorine_Pump=ON') and set hydraulic pressure to maximum ('RO_Pressure=80').

    First reported: 17.04.2026 01:04
    1 source, 1 article
    Show sources

  • A validation flaw in ZionSiphon’s targeting logic, caused by an XOR mismatch, triggers a self-destruct mechanism instead of payload execution, rendering the malware non-functional in its current release.

    First reported: 17.04.2026 01:04
    1 source, 1 article
    Show sources

  • ZionSiphon includes a USB propagation mechanism that copies itself as a hidden 'svchost.exe' to removable drives and creates malicious shortcut files to auto-execute on user interaction.

    First reported: 17.04.2026 01:04
    1 source, 1 article
    Show sources

  • The malware scans for industrial communication protocols (Modbus, DNP3, S7comm) but currently only implements partially functional Modbus code, with placeholders for the other two, indicating early development status.

    First reported: 17.04.2026 01:04
    1 source, 1 article
    Show sources