Cybersecurity researchers have detected a new malware, dubbed "ZionSiphon" by Darktrace, specifically designed to target Israel's water treatment and desalination facilities. First detected on June 29, 2025, immediately following the Twelve-Day War between Iran and Israel, this malware demonstrates the growing trend of politically motivated attacks against industrial operational technologies (OT) globally. ZionSiphon is designed to scan for OT services on local networks, escalate privileges, establish persistence, and even propagate via USB drives. Its most notable feature is its sabotage capabilities aimed at manipulating chlorine levels and pressure controls in these facilities. Additionally, political messages supporting Iran, Palestine, and Yemen have been embedded within the malware's code.

Despite its alarming capabilities, ZionSiphon still appears to be in an experimental or unfinished stage. The malware is programmed with strict conditions, requiring both a geographic location matching specific Israeli IPv4 address ranges and an environment specific to water treatment systems to operate. If these conditions are not met, the software initiates a self-destruct sequence. Darktrace notes that even when the current IP address falls within the specified target ranges, the current sample fails to pass its own internal checks; indicating that the software is either intentionally disabled, misconfigured, or not yet finished. However, the Modbus protocol attack path being much more developed compared to the partially working DNP3 and S7comm capabilities proves that threat actors are actively experimenting with multi-protocol OT manipulation and removable media propagation techniques.

Coinciding with the ZionSiphon findings, Blackpoint Cyber announced the discovery of a new Node.js-based implant named "RoadK1ll". Designed to provide reliable network access and blend in with normal network traffic, RoadK1ll operates as a reverse tunneling implant. Unlike traditional remote access trojans (RATs), it does not house a large command set or require a listener on the victim machine waiting for external connections. Instead, it establishes an outbound WebSocket connection to attacker-controlled infrastructure and brokers TCP traffic on demand. This essentially turns the infected machine into a hidden relay point (an access amplifier), allowing attackers to bypass the firewall and infiltrate internal network segments and services that are unreachable from the outside.

Finally, Gen Digital reported a highly stealthy virtual machine (VM)-obfuscated backdoor named "AngrySpark," which operated undetected on a single machine in the UK for over a year before its infrastructure expired. AngrySpark operates as a highly complex, three-stage system. The process begins with a DLL that loads via the Task Scheduler and behaves like a legitimate Windows component. This DLL decrypts its configuration in the registry and injects position-independent shellcode into the svchost.exe process. This shellcode then deploys a custom virtual machine that processes a 25 KB bytecode to decode and assemble the actual malicious payload. To avoid detection, AngrySpark communicates with its command-and-control server over HTTPS and disguises its network traffic as harmless PNG image requests. Its deliberate alteration of PE metadata and modular design reveal how carefully the software was crafted to mislead forensic analysis tools, bypass network defenders, and leave a minimal footprint behind.

Some of the precautions we need to take to protect against these types of attacks include:

• Strict Isolation of IT and OT Networks (Segmentation)

• Strict Control of Outbound (Egress) Network Traffic

• Advanced Endpoint Protection (EDR) and Behavioral Analysis

• Restriction of Removable Media (USB) Usage

• Advanced Email and Communication Security

For detailed information, you can reach out to our experts at info@zerosecond.com.tr .