A newly identified malware strain designed to interact with operational technology (OT) systems has been analyzed by security researchers, revealing capabilities aimed at water treatment and desalination infrastructure. The malware, named ZionSiphon and discovered by Darktrace, combines traditional endpoint compromise techniques with functions tailored to industrial control systems (ICS). In an advisory published last week, the researchers found that the malware includes privilege escalation, persistence mechanisms and USB-based propagation. Its targeting logic closely aligns with the water sector. The analyzed sample contains hardcoded references to infrastructure components such as desalination plants and wastewater systems, alongside checks for software linked to reverse osmosis and chlorine control. These indicators suggest the malware is designed to activate only when both geographic and environmental conditions are met. In addition to system checks, the malware embeds politically charged messages and restricts execution to IP ranges associated with Israel. While these strings do not influence execution, they provide insight into the likely motivations behind the campaign. Once deployed in a qualifying environment, the malware attempts to manipulate local configuration files tied to industrial processes. It appends predefined values related to chlorine dosing and system pressure, which could disrupt water treatment operations if successfully applied. The code also includes a network discovery routine that scans local subnets for ICS devices. It probes common industrial protocols, including Modbus, DNP3 and S7comm, attempting to identify responsive systems and classify them for further interaction. Read more on OT cyber threats: Significant Rise in Ransomware Attacks Targeting Industrial Operations Darktrace observed that the Modbus-related functionality is the most developed, allowing the malware to read and potentially modify register values. However, implementations for DNP3 and S7comm appear incomplete, suggesting partial development or testing stages. Subnet-wide scanning for ICS devices using common OT protocols