Cyber Threat Bulletin
Severity: Critical OT Sabotage Malware TLP: White

ZionSiphon

OT Sabotage Malware Targeting Water and Desalination Infrastructure

First Seen:June 29, 2025 Author Alias:0xICS Primary Protocol:Modbus
Severity Critical
Threat Type OT Sabotage Malware
Primary Delivery USB / Removable Media Propagation
Target Environment Water treatment and desalination OT systems
Protocol Focus Modbus (functional); DNP3 and S7comm (planned, incomplete)
Impact Objective Physical process manipulation via chlorine dosing and reverse osmosis pressure
Current Sample Status Fails to activate due to country validation logic flaw. Architecture remains operationally coherent.
June 29 First VirusTotal Submission, 2025
7 Attack Chain Phases
1 Confirmed SHA-256
3 Hardcoded Target IP Ranges
9 Detection Analytics
Section 01

Executive Summary

ZionSiphon is a Windows-based implant designed to sabotage industrial control systems used in water treatment and desalination operations. First submitted to VirusTotal on June 29, 2025, shortly after the Twelve-Day War between Iran and Israel, the malware contains embedded ideological messaging signed by the alias 0xICS and is engineered to interact directly with industrial protocols including Modbus, DNP3, and S7comm. Its intended outcome is not espionage. It is physical consequence. The malware was built to manipulate chlorine dosing levels and reverse osmosis pressure at hardcoded water infrastructure targets.

The currently analyzed sample fails to activate because of a logic error in its country validation routine. That flaw does not reduce the seriousness of the threat. The architecture is coherent, the targeting logic is process-aware, and the failure can be corrected with only a minor code change. ZionSiphon should be treated as an early but credible example of sabotage malware built by an actor outside a top-tier nation-state program.

For defenders, the most immediate lesson is not about malware sophistication. It is about exposure. ZionSiphon relies on removable media, weak workstation controls, and OT environments with limited monitoring. Air gaps do not help if infected USB media is already inside the perimeter. Organizations in water, utilities, and any Modbus-heavy OT environment should treat this bulletin as a warning that process-aware sabotage tooling is becoming more accessible and more portable.

Critical Finding

The logic flaw preventing activation is a single correctable error in the country validation routine. The Modbus manipulation capability, USB propagation, and persistence mechanisms are functional. This is a draft weapon, not a defective one.

Section 02

Key Findings

  • ZionSiphon is designed to sabotage OT processes, not merely steal data or establish persistence. The intended outcome is physical consequence to water treatment and desalination operations.
  • The malware targets chlorine dosing and reverse osmosis pressure, creating credible public health and equipment damage risk if the payload activates in an operational environment.
  • The current sample fails because of a target-country logic flaw, but the rest of the architecture is operationally coherent. Correcting the flaw requires only a minor code change.
  • USB propagation is a core feature. The malware copies itself to every removable drive it finds and creates malicious LNK shortcuts to carry the infection across air-gapped boundaries through operational USB use.
  • The malware uses legitimate Windows mechanisms including Run key persistence, svchost masquerading, PowerShell UAC elevation, and LNK shortcuts to blend with normal system activity.
  • Modbus capability is functional and developed. DNP3 and S7comm branches appear planned but unfinished in this version, indicating the tool is under active development.
  • Geographic restrictions are superficial. Changing the hardcoded IP ranges would allow the same framework to be repurposed against any Modbus-accessible water or OT infrastructure worldwide.
Section 03

Detailed Threat Analysis

ZionSiphon sits at the intersection of hacktivist-style messaging and process-aware OT malware development. The actor is not formally attributed to a known group as of April 2026. The only identity exposed in the binary is 0xICS, embedded in Base64-encoded strings. The messaging inside the malware aligns with Iranian-aligned ideological framing, but current public reporting stops short of formal attribution. What is clear is intent: the malware explicitly references civilian populations and was built to affect water infrastructure, pointing to a sabotage objective rather than collection or access brokering.

The broader context matters. Iranian-linked and Iranian-aligned actors have targeted Israeli water infrastructure before, including prior attempts to manipulate chlorine dosing in 2020. ZionSiphon does not appear to be a direct continuation of those campaigns, but it clearly echoes them. It also mirrors a growing pattern in which ideologically motivated actors adopt OT themes, infrastructure targeting, and deniable personas to blur the line between hacktivism and state-aligned disruption.

Technically, ZionSiphon is not polished, but it is not crude. It checks for elevation, relaunches through PowerShell using Start-Process -Verb RunAs, creates persistence through the HKCU Run key, copies itself into LocalApplicationData as svchost.exe, and applies hidden attributes to blend in with normal Windows artifacts. It also performs environment validation by checking local IP ranges and searching for OT-specific process names, vendor directories, and configuration files related to water treatment and desalination.

Its process-specific intent is the most important aspect of the malware. If validation succeeds, it tampers with hardcoded OT configuration files and attempts Modbus writes that raise chlorine dose values and pressure settings. This makes ZionSiphon meaningful even in a draft or flawed state. It shows that moderately skilled actors can now assemble operationally informed sabotage tooling without requiring the resources historically associated with landmark OT malware.

Attribution Context

The malware was first submitted to VirusTotal on June 29, 2025, shortly after the Twelve-Day War between Iran and Israel. Ideological strings align with Iranian-aligned framing, but formal attribution to a tracked group has not been made. ZionSiphon should be analyzed as a credible sabotage capability regardless of final attribution.

Section 04

Attack Chain Overview

Entry Point

ZionSiphon enters through removable media, not internet-facing exploitation. The attack begins the moment an infected USB device is introduced to an OT-adjacent Windows workstation.

1

Initial Execution and Elevation

Checks for admin privileges. If absent, relaunches through PowerShell using Start-Process -Verb RunAs, triggering a UAC prompt to elevate.

2

Persistence and Masquerade

Writes HKCU Run key as SystemHealthCheck. Copies itself to LocalApplicationData as svchost.exe with hidden attributes to survive scrutiny.

3

Target Validation

Checks local IPv4 against three Israeli IP ranges and scans for water/desalination process names, vendor directories, and config files. Logic flaw causes self-destruct in current sample.

4

OT Config Tampering

If validation passes, appends parameter changes to DesalConfig.ini, ROConfig.ini, or ChlorineControl.dat. Raises chlorine dosing, maximizes flow, opens valves, sets RO pressure to 80.

5

OT Network Recon

Scans local /24 subnet for hosts responding on ports 502, 20000, and 102. Classifies responsive systems as ICS devices and passes them to protocol handling.

6

Protocol Manipulation

Functional Modbus branch issues FC03 reads from address zero, identifies chlorine dose register, then writes FC06 value of 100. Falls back to hardcoded write frames if discovery fails.

7

USB Propagation

Enumerates all removable drives, copies itself as hidden svchost.exe, and creates malicious LNK shortcuts on each. Intended to cross air-gapped boundaries through operational USB use.

Section 05

MITRE ATT&CK Mapping

Note

The primary bulletin does not include a formal ATT&CK mapping. Techniques below are derived from documented behaviors. ICS techniques use the MITRE ATT&CK for ICS framework.

MITRE ATT&CK for ICS
T0836 Modify Parameter — Chlorine dosing values and RO pressure written via hardcoded config file entries and Modbus FC06 writes.
T0855 Unauthorized Command Message — Modbus FC06 write frames issued directly to holding registers. FC03 reads used for register discovery.
T0879 Damage to Property — Assessed intended consequence: unsafe chlorine concentration and increased mechanical stress to RO infrastructure.
MITRE ATT&CK Enterprise
T1091 Replication Through Removable Media — Core propagation mechanism. Copies to all enumerated removable drives with malicious LNK shortcuts.
T1547.001 Registry Run Keys — HKCU\...\Run value SystemHealthCheck establishes persistence at user logon.
T1036.005 Match Legitimate Name — Copies itself to %LOCALAPPDATA% as svchost.exe with hidden attributes to blend with Windows naming conventions.
T1548.002 Bypass User Account Control — Relaunches via PowerShell Start-Process -Verb RunAs to trigger UAC elevation from a non-interactive process.
T1046 Network Service Scanning — Obfuscated function scans local /24 subnet on ports 502, 20000, and 102 to discover accessible ICS devices.
Section 06

Indicators of Compromise

No C2 Network Indicators

The bulletin explicitly notes that no command-and-control network indicators have been published. Host-based and behavioral detections are the primary path for defense.

File Hash
07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f
SHA-256. Confirmed ZionSiphon sample. First submitted VirusTotal June 29, 2025.
Hardcoded IP Ranges:
2.52.0.0 – 2.55.255.255
79.176.0.0 – 79.191.255.255
212.150.0.0 – 212.150.255.255
Not a global safety boundary. Removing these values allows execution anywhere.
Host-Based Indicators
svchost.exe running from %LOCALAPPDATA%
HKCU\...\Run value: SystemHealthCheck
%TEMP%\target_verify.log
%TEMP%\delete.bat
PowerShell Start-Process -Verb RunAs from non-interactive process
LNK shortcut creation on removable drives
Appended entries in DesalConfig.ini, ROConfig.ini, or ChlorineControl.dat
Network Behavioral Indicators
Burst TCP connections across local /24 on ports 502, 20000, and 102
Modbus FC03 reads for ten registers from address zero followed by FC06 write activity
S7comm sessions originating from workstation processes
A workstation showing AppData svchost.exe + Run key + rapid Modbus FC03/FC06 activity should be treated as an urgent sabotage scenario, not generic malware.
Section 07

Detection Analysis

ZionSiphon is highly detectable if organizations are collecting the right telemetry. Its reliance on standard Windows persistence, PowerShell elevation, file tampering, shortcut creation, and Modbus activity means defenders can build meaningful detection coverage with endpoint, registry, file, and network data. OT protocol visibility improves the fidelity of the highest-value detections. Critically, these detections fire even on the failed sample: even when the payload self-destructs, the malware may have already elevated, persisted, and touched the system in forensically meaningful ways.

Standard SIEM-Compatible Detections

  • svchost.exe executing from %LOCALAPPDATA% or removable drive path
  • PowerShell UAC bypass via Start-Process -Verb RunAs from non-interactive parent
  • HKCU Run key creation with value name SystemHealthCheck
  • LNK shortcut creation on removable media volumes
  • Burst TCP connections from a single workstation to local /24 on ports 502, 20000, and 102
  • OT config file modification: DesalConfig.ini, ROConfig.ini, or ChlorineControl.dat
  • Creation of delete.bat or target_verify.log in %TEMP%

OT Platform Required Detections

  • Modbus FC06 write to registers 0–9 outside authorized change windows (requires OT-aware monitoring with Modbus protocol DPI)
  • Modbus FC03 read burst across multiple hosts on the same subnet from a single source workstation (requires industrial protocol visibility and baseline)
Detection Strategy

The most effective posture combines endpoint telemetry with OT protocol monitoring. A workstation showing AppData-based svchost.exe, a Run key entry, and rapid Modbus FC03 followed by FC06 activity should be treated as an urgent sabotage scenario, not a generic malware event. In a water environment, unexpected low-register Modbus writes are a direct process-control risk.

Section 08

Prevention and Mitigation

ZionSiphon is highly dependent on removable media, weak workstation controls, and flat or accessible OT network segments. Many of the best defenses are operational and architectural, not expensive or exotic. USB policy, application control, and OT network segmentation address the three most critical attack dependencies simultaneously.

Immediate Actions
💾

Removable Media Controls

  • Disable USB storage access on OT workstations and engineering stations where operationally possible
  • When media is required, use dedicated scanned write-protected media with strict chain of custody
  • Disable autorun and autoplay to reduce shortcut-based execution risk
🔑

Registry and Process Audit

  • Audit HKCU Run key entries for value name SystemHealthCheck as a direct ZionSiphon indicator
  • Alert on any svchost.exe executing from AppData, Temp, or removable media paths
  • Review PowerShell execution policy on OT-adjacent workstations
📋

OT Config File Integrity

  • Establish file integrity monitoring on DesalConfig.ini, ROConfig.ini, and ChlorineControl.dat
  • Back up known-good config files to secured offline storage
  • Verify configuration file integrity before returning any affected controller to normal operation
Architectural Controls
🗄

OT Network Segmentation

  • ZionSiphon's scanner only works if the infected workstation can reach devices on the same /24
  • Proper isolation between IT and OT segments blocks the Modbus manipulation path
  • Restrict lateral movement from engineering workstations to controller networks
🛡

Application Allowlisting

  • Restricting execution to approved binaries on OT workstations removes the attack surface for malware that copies itself to alternate paths
  • Block execution from AppData, Temp, and removable media paths
  • Review and tighten application execution policies on HMI and engineering workstations
📊

OT Protocol Monitoring

  • Deploy OT-aware DPI capable of detecting FC06 Modbus writes outside maintenance windows
  • Baseline normal Modbus traffic patterns; multi-host FC03 burst from a single workstation is a high-confidence anomaly
  • Review contractor and vendor USB practices as a shared-media infection vector
Section 09

Reporting and Resources

If target_verify.log Is Present

The malware executed and attempted target validation even if the payload did not activate. In water treatment or desalination environments, immediately verify the integrity of chlorine and pressure-related configuration files before returning any affected controller to normal operation.

🏛

CISA

  • 24/7: (888) 282-0870
  • central@cisa.dhs.gov
  • cisa.gov/report
💧

WaterISAC

  • H2OIAC.org
  • analyst@waterisac.org
  • (866) H2O-ISAC
🇮🇱

Israel NCSS

  • 119 (hotline)
  • cert@cyber.gov.il
  • National Cyber Directorate
📧

PhishCloud CFC

  • info@phishcloud.com
  • IOC queries and detection tuning support
  • Report observed indicators so bulletin can be updated
Section 10

Detection Analytics — Sigma Rules

Implementation Note

Rules are provided in Sigma format and can be converted to platform-specific queries using sigmac or pySigma: Splunk (-t splunk), Elastic (-t elasticsearch), QRadar (-t qradar). Rules 8 and 9 require OT-aware monitoring with Modbus protocol DPI. All rules are status: experimental and should be validated against your environment before production deployment.

Host-Based / SIEM-Compatible — Rules 1–7
Rule 1 — svchost.exe Outside System32 Critical
Sigma YAML 
title: ZionSiphon - svchost.exe Masquerade Outside System32
status: experimental
tags:
    - attack.defense_evasion
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
    filter_legit:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter_legit
falsepositives:
    - Unlikely in OT environments
level: critical
Rule 2 — HKCU Run Key SystemHealthCheck Critical
Sigma YAML 
title: ZionSiphon - Hardcoded Run Key Persistence
status: experimental
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\CurrentVersion\Run'
        TargetObject|endswith: '\SystemHealthCheck'
    condition: selection
falsepositives:
    - None expected
level: critical
Rule 3 — PowerShell UAC Bypass via RunAs High
Sigma YAML 
title: ZionSiphon - PowerShell Self-Elevation
status: experimental
tags:
    - attack.privilege_escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains|all:
            - 'Start-Process'
            - 'RunAs'
    filter_interactive:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
    condition: selection and not filter_interactive
falsepositives:
    - Administrative elevation tooling
level: high
Rule 4 — LNK Creation on Removable Media High
Sigma YAML 
title: ZionSiphon - USB Propagation LNK
status: experimental
tags:
    - attack.lateral_movement
    - attack.t1091
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|re: '^[D-Z]:\\.*\.lnk$'
    filter_user:
        Image|endswith: '\explorer.exe'
    condition: selection and not filter_user
falsepositives:
    - Legitimate LNK creation on removable drives
level: high
Rule 5 — OT Port Burst Scan from Workstation High
Sigma YAML 
title: ZionSiphon - OT Network Reconnaissance
status: experimental
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 502
            - 20000
            - 102
    condition: selection | count(DestinationIp) by SourceIp > 3
    timeframe: 60s
falsepositives:
    - Authorized OT asset discovery scanning
level: high
Rule 6 — OT Config File Modification Critical
Sigma YAML 
title: ZionSiphon - Water/Desal Config File Tampered
status: experimental
tags:
    - attack.impact
    - attack.t0836
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - 'DesalConfig.ini'
            - 'ROConfig.ini'
            - 'ChlorineControl.dat'
    condition: selection
falsepositives:
    - Authorized maintenance config changes
level: critical
Rule 7 — ZionSiphon Artifacts in %TEMP% High
Sigma YAML 
title: ZionSiphon - Execution Artifacts in TEMP
status: experimental
tags:
    - attack.defense_evasion
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\Temp\delete.bat'
            - '\Temp\target_verify.log'
    condition: selection
falsepositives:
    - None expected
level: high
OT Protocol Required — Rules 8–9 (Modbus DPI)
Rule 8 — Modbus FC06 Write to Low Registers Critical
Sigma YAML — Requires Modbus Protocol Visibility 
title: ZionSiphon - Modbus FC06 Process Manipulation
status: experimental
tags:
    - attack.impact
    - attack.t0836
    - attack.t0855
logsource:
    product: modbus
    service: protocol
detection:
    selection:
        function_code: 6  # FC06 Write Single Register
        register_address|lt: 10
    filter_maintenance:
        change_window_active: true
    condition: selection and not filter_maintenance
falsepositives:
    - Authorized parameter changes in maintenance windows
level: critical
Rule 9 — Modbus FC03 Burst Across Multiple Hosts High
Sigma YAML — Requires Modbus Protocol Visibility 
title: ZionSiphon - Modbus FC03 Register Discovery
status: experimental
tags:
    - attack.discovery
    - attack.t1046
logsource:
    product: modbus
    service: protocol
detection:
    selection:
        function_code: 3  # FC03 Read Holding Registers
        start_address: 0
        quantity: 10
    condition: selection | count(dest_ip) by src_ip > 2
    timeframe: 30s
falsepositives:
    - Authorized OT monitoring or asset discovery tools
level: high

ZionSiphon is not important because it is flawless. It is important because it proves the model. A moderately capable actor built malware that understands OT protocols, targets process parameters, crosses air gaps through USB, and aims for physical consequence. The logic flaw in the current sample is a temporary defect, not a strategic comfort.

Interactive Threat Intelligence Experience

Walk the ZionSiphon Attack Path

See how trusted media becomes physical consequence, phase by phase, with detection implications at every step.

Launch Interactive Guide →
Scroll to Top