Inside ZionSiphon: politically driven malware aims at Israeli water systems
New ZionSiphon malware targets water systems, and allows attackers to alter pressure and chlorine levels. A flaw makes it ineffective for now. Darktrace analyzed ZionSiphon, a new malware designed to target water treatment and desalination systems, which aims to disrupt operations by altering hydraulic pressure and increasing chlorine levels to unsafe levels. The malware combines […]
Darktrace analyzed ZionSiphon, a new malware designed to target water treatment and desalination systems, which aims to disrupt operations by altering hydraulic pressure and increasing chlorine levels to unsafe levels.
The malware combines common techniques like privilege escalation, persistence, and spreading via removable media with logic tailored to operational technology environments. ZionSiphon scans networks for OT services, modifies configurations, and focuses on Israeli targets using hardcoded IP ranges. Its code also contains political messages, suggesting ideological motives. However, parts of the implementation appear incomplete, indicating it may still be under development despite its potentially disruptive intent.
Related breach coverage
- ZionSiphon Malware Targets ICS in Water Facilities2026-04-17
The malware is configured to operate on systems associated with Israeli water treatment and desalination plants. The post ZionSiphon Malware Targets ICS in Water Facilities appeared first on SecurityWeek.
- Hacktivists breach Canada’s critical infrastructure, cyber Agency warns2025-10-29
Canada’s cyber agency warns hacktivists breached critical infrastructure, altering industrial controls and risking public safety. The Canadian Centre for Cyber Security revealed that hacktivists have repeatedly breached systems of country’s critical infrastructure systems in the country. Attackers tampered with industrial controls at a water treatment facility, an oil & gas firm, and an agricultural facility. […]
- Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers2026-04-22
Mirai botnet is targeting old D-Link routers using CVE-2025-29635, a command injection flaw exploitable via crafted POST requests after public PoC disclosure. A Mirai botnet is actively exploiting a command injection vulnerability, tracked as CVE-2025-29635, in discontinued D-Link routers, Akamai reports. The flaw allows attackers to inject commands because an attacker-controlled value is copied without […]
- Adobe fixes actively exploited Acrobat Reader flaw CVE-2026-346212026-04-12
Adobe addressed a critical Acrobat Reader vulnerability, tracked as CVE-2026-34621, which is actively exploited to run malicious code. Adobe released emergency updates to address a critical vulnerability, tracked as CVE-2026-34621 (CVSS score of 8.6), in Adobe Acrobat Reader, which is being actively exploited. The flaw could allow attackers to execute malicious code on affected systems, […]