{"id":45523,"date":"2026-04-18T00:17:53","date_gmt":"2026-04-17T16:17:53","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-zionsiphon-malware-discovered-targeting-israeli-water-systems\/"},"modified":"2026-04-18T00:17:53","modified_gmt":"2026-04-17T16:17:53","slug":"new-zionsiphon-malware-discovered-targeting-israeli-water-systems","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-zionsiphon-malware-discovered-targeting-israeli-water-systems\/","title":{"rendered":"New ZionSiphon Malware Discovered Targeting Israeli Water Systems"},"content":{"rendered":"\n<p>Researchers at Darktrace have identified ZionSiphon, a new malware targeting Israeli water treatment plants. Learn how this OT-focused attack uses ICS protocols like Modbus and S7comm to target critical infrastructure.<\/p>\n<p>Cybersecurity firm Darktrace has released a report on a new strain of malware named ZionSiphon created specifically to target <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/180000-ics-ot-devices-safety-concerns\/\">Operational Technology<\/a> (OT) systems that manage water treatment and desalination in Israel. For your information, desalination is a process of converting salt water into drinking water, and this makes it a vital service for the region.<\/p>\n<p>According to Darktrace&#8217;s report shared with Hackread.com, this malware sample, though unfinished, was built to find specific <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/hacktivists-israel-palestine-ics-infrastructure\/\">Industrial Control System<\/a> (ICS) settings used in water plants. This means the threat actors wanted to change things like chlorine levels and water pressure with the intent to cause real-world damage rather than merely stealing data.<\/p>\n<h3><strong>How the Attack Works<\/strong><\/h3>\n<p>ZionSiphon is a sneaky malware that checks if it has administrative rights on the device right after infection using a function called <code>RunAsAdmin()<\/code>. It manages to remain undetected on the system by hiding a copy of itself and using a fake name, <code>svchost.exe<\/code>, which makes it look like a normal <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/new-malware-uses-windows-character-map-cryptomining\/\" data-type=\"post\" data-id=\"134351\">Windows process<\/a>. It even creates a registry key named <code>SystemHealthCheck<\/code> to ensure persistence on the infected host.<\/p>\n<p>Darktrace&#8217;s <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.darktrace.com\/blog\/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems\">report<\/a> noted that this malware is different because it can spread via USB sticks through a removable-media propagation mechanism. Therefore, if someone plugs a thumb drive into an infected computer, ZionSiphon copies itself onto that drive almost immediately. <\/p>\n<p>It even hides the real files and makes fake shortcuts using a tool called <code>CreateUSBShortcut()<\/code>. The unsuspecting user may click it, thinking it is a normal file, but they will actually execute the malware payload.<\/p>\n<p>Further probing revealed that ZionSiphon searches for industrial control system protocols such as Modbus, DNP3, and S7comm. It also looks for configuration files like <code>DesalConfig.ini<\/code> and <code>ChlorineControl.dat<\/code>. <\/p>\n<div>\n<figure><a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/new-zionsiphon-malware-discovered-targeting-israeli-water-supply.png\"><img loading=\"lazy\" decoding=\"async\" width=\"562\" height=\"326\" src=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/new-zionsiphon-malware-discovered-targeting-israeli-water-supply.png\" srcset=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/new-zionsiphon-malware-discovered-targeting-israeli-water-supply.png 562w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/new-zionsiphon-malware-discovered-targeting-israeli-water-supply-300x174.png 300w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/new-zionsiphon-malware-discovered-targeting-israeli-water-supply-380x220.png 380w\" sizes=\"auto, (max-width: 562px) 100vw, 562px\" alt=\"New ZionSiphon Malware Discovered Targeting Israeli Water Systems\" \/><\/a><figcaption>Image credit: Darktrace<\/figcaption><\/figure>\n<\/p><\/div>\n<p>To identify targets, the malware includes a list of specific Israeli plant locations, including:<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<ul>\n<li>Sorek <\/li>\n<li>Hadera<\/li>\n<li>Ashdod <\/li>\n<li>Shafdan<\/li>\n<li>Palmachim<\/li>\n<\/ul>\n<h3><strong>Political Links<\/strong><\/h3>\n<p>The researchers found hidden messages inside the code expressing <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/iran-handala-hackers-verifone-stryker-hacks\/\" data-type=\"post\" data-id=\"142483\">support for Iran, Yemen, and Palestine<\/a>. Such as, one note mentioned &#8220;Poisoning the population of Tel Aviv and Haifa,&#8221; though the code was not actually able to perform this action. The actors, who identified themselves as 0xICS, also mentioned Dimona, a city known for its nuclear research centre.<\/p>\n<p>Even though the intent was clear, the attackers made several mistakes that researchers quickly identified. The malware includes a <code>SelfDestruct()<\/code> feature designed to run if it is not on a system located in Israel, but a coding error can cause it to misidentify the location and delete itself unintentionally. It also creates a file named delete.bat to remove its own traces.<\/p>\n<p>This research highlights that even buggy malware can be a major threat to the safety of ICS, and this makes <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/us-europe-account-73-global-exposed-ics-systems\/\">critical infrastructure<\/a> like water and power systems even more important to monitor.<\/p>\n<div >\n<div>\n<div>\n<div>\n<h5> \t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/deeba\/\"> \t\t\t\t\t\t\tDeeba Ahmed\t\t\t\t\t\t<\/a> \t\t\t\t\t<\/h5>\n<div> \t\t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/deeba\/\"> \t\t\t\t\t\t\t\t<img src='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=80&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=160&#038;d=mm&#038;r=g 2x' height='80' width='80' alt=\"New ZionSiphon Malware Discovered Targeting Israeli Water Systems\" \/>\t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t\t\t\t\t\t\tDeeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform\u2019s trusted coverage.\t\t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" target=\"\"> \t\t\tView Posts\t\t<\/a> \t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Researchers at Darktrace have identified ZionSiphon, a  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-45523","post","type-post","status-publish","format-standard","hentry","category-hackread"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45523"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45523\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}