### ZionSiphon Targets Israeli Water Infrastructure Cybersecurity researchers have identified **ZionSiphon**, a new malware specifically designed to target Israeli water treatment and desalination systems. **Darktrace** researchers codenamed the malware **ZionSiphon**, highlighting its capabilities including persistence, tampering with local configuration files, and scanning for operational technology (OT)-relevant services on the local subnet. According to **VirusTotal**, the first detection of the sample occurred on June 29, 2025, shortly after the reported "Twelve-Day War" between Iran and Israel. **Darktrace** stated that the malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities targeting chlorine and pressure controls. This highlights a growing trend of politically motivated critical infrastructure attacks against industrial operational technologies globally. Currently unfinished, **ZionSiphon** specifically targets Israel, focusing on these IPv4 address ranges: * 2.52.0[.]0 - 2.55.255[.]255 * 79.176.0[.]0 - 79.191.255[.]255 * 212.150.0[.]0 - 212.150.255[.]255 In addition to encoding political messages supporting Iran, Palestine, and Yemen, the malware includes Israel-linked strings in its target list, specifically related to the nation's water and desalination infrastructure. It also checks to ensure that it is running on those specific systems. Once launched, **ZionSiphon** identifies and probes devices on the local subnet, attempting protocol-specific communication using Modbus, DNP3, and S7comm protocols. It also modifies local configuration files, tampering with parameters associated with chlorine doses and pressure. Analysis indicates that the Modbus-oriented attack path is the most developed, while the other two only include partially functional code, suggesting the malware is still under development. A key feature of the malware is its ability to propagate the infection via removable media. On hosts that don't meet the targeting criteria, it initiates a self-destruct sequence to delete itself. **Darktrace** notes that while the file contains sabotage, scanning, and propagation functions, the current sample appears unable to satisfy its own target-country checking function even when the reported IP falls within the specified ranges. They suggest this could be due to intentional disabling, incorrect configuration, or an unfinished state. Despite these limitations, the code structure suggests a threat actor experimenting with multi-protocol OT manipulation, persistence within operational networks, and removable-media propagation techniques similar to earlier ICS-targeting campaigns. ### RoadK1ll: A WebSocket-Based Pivoting Implant Alongside the **ZionSiphon** discovery, **Blackpoint Cyber** disclosed a Node.js-based implant called **RoadK1ll**, designed to maintain reliable access to compromised networks while blending into normal network activity. **RoadK1ll** is a reverse tunneling implant that establishes an outbound WebSocket connection to attacker-controlled infrastructure, using that connection to broker TCP traffic on demand. Unlike traditional remote access trojans, it carries no large command set and requires no inbound listener on the victim host. Its sole function is to convert a single compromised machine into a controllable relay point, an access amplifier, through which an operator can pivot to internal systems, services, and network segments that would otherwise be unreachable from outside the perimeter. ### AngrySpark: VM-Obfuscated Backdoor **Gen Digital** also revealed a virtual machine (VM)-obfuscated backdoor, dubbed **AngrySpark**, observed on a single machine in the U.K. This implant operated for a year between May 2022 and June 2023 before disappearing when its infrastructure expired. The end goals of the activity remain unknown. **Gen Digital** explained that **AngrySpark** operates as a three-stage system. A DLL masquerading as a Windows component loads via the Task Scheduler, decrypts its configuration from the registry, and injects position-independent shellcode into svchost.exe. That shellcode implements a virtual machine. The VM processes a 25KB blob of bytecode instructions, decoding and assembling the real payload – a beacon that profiles the machine, phones home over HTTPS disguised as PNG image requests, and can receive encrypted shellcode for execution. The result is malware capable of establishing stealthy persistence, altering its behavior by switching the blob, and setting up a command-and-control (C2) channel that can evade detection. **Gen Digital** added that **AngrySpark** is not only modular, but also carefully designed to evade detection. Several design choices appear specifically aimed at frustrating clustering, bypassing instrumentation, and limiting the forensic residue left behind. The binary's PE metadata has been deliberately altered to confuse toolchain fingerprinting.