<!-- curated:true -->
# [HIGH] Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems

**Source:** The Hacker News
**Published:** 2026-04-20
**Article:** https://thehackernews.com/2026/04/researchers-detect-zionsiphon-malware.html
**Curated:** Analyst-reviewed 2026-04-28

## Threat profile

Darktrace flagged a new malware family — **ZionSiphon** — purpose-built to target **Israeli water treatment and desalination systems**. Capabilities (per the public summary):
- **Persistence** on infected IT-side hosts.
- **Tampers with local configuration files** (likely PLC/SCADA config exports, HMI project files, control-loop tuning).
- **Scans the local subnet for OT-relevant services** — Modbus/TCP **502**, EtherNet/IP **44818**, S7Comm **102**, BACnet **47808**, OPC UA **4840**, DNP3 **20000**.

This is the fourth piece of OT-targeting malware disclosed in this 6-month window (alongside Lotus Wiper and ICS-targeting tooling). The pattern is **regional in attribution but technical in transferability** — ZionSiphon-class scanning + config-tampering applies to any water/utility/manufacturing OT estate regardless of country.

## Indicators of Compromise

- _Specific ZionSiphon hashes / file artefacts and the destination FQDNs / IPs should be in the Darktrace research blog when published._
- Detection focus: any Windows host on an OT-adjacent segment doing **TCP/502 (Modbus) discovery**, **TCP/44818 (EtherNet/IP) discovery**, or **TCP/4840 (OPC UA) discovery**. Almost no legitimate IT host scans these.

## MITRE ATT&CK (analyst-validated)

- **T1018** — Remote System Discovery (subnet scan)
- **T1046** — Network Service Discovery (OT-port scan)
- **T1547** — Boot or Logon Autostart Execution (persistence)
- **T1565.001** — Stored Data Manipulation (config-file tampering)
- **T1059** — Command and Scripting Interpreter
- **T0855** — ICS-specific: Unauthorized Command Message (likely follow-on)
- **T0836** — ICS-specific: Modify Parameter

## Recommended SOC actions (priority-ordered)

1. **Run OT-port scan detections** below across IT-OT boundary segments. This catches ZionSiphon and most other OT-discovery malware.
2. **Audit config-file integrity** for HMI project files, PLC backup repositories, SCADA project servers — file-integrity monitoring with explicit watch-paths for `.l5x`, `.acd`, `.s7p`, `.gxw`, `.PRG`.
3. **Segregate engineering workstations from corporate AD** if you haven't already. Engineering hosts with corp creds + OT network reachability are the canonical bridge that ZionSiphon-class malware exploits.
4. **Hunt for new persistence on engineering workstations** — startup folder, Run keys, scheduled tasks installed in the last 90 days.
5. **Cross-reference threat intel** for ZionSiphon-related hashes once Darktrace publishes the IOC bundle.

## Splunk SPL — OT port scanning from IT hosts

```spl
| tstats `summariesonly` count
    from datamodel=Network_Traffic.All_Traffic
    where All_Traffic.dest_port IN (102,502,1911,4840,20000,44818,47808,55000,55001,2222,9600)
      AND All_Traffic.action="allowed"
    by All_Traffic.src, All_Traffic.dest_port, _time span=10m
| `drop_dm_object_name(All_Traffic)`
| stats sum(count) AS connections, dc(dest_port) AS distinct_ports,
        values(dest_port) AS targeted_ports
        by src, _time
| where distinct_ports >= 2
| sort - distinct_ports
```

## Splunk SPL — engineering host config-file modifications

```spl
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("modified","created","deleted")
      AND (Filesystem.file_name="*.l5x" OR Filesystem.file_name="*.acd"
        OR Filesystem.file_name="*.s7p" OR Filesystem.file_name="*.gxw"
        OR Filesystem.file_name="*.PRG" OR Filesystem.file_name="*.AAP"
        OR Filesystem.file_name="*.cwp" OR Filesystem.file_name="*.tia")
    by Filesystem.dest, Filesystem.process_name, Filesystem.file_path,
       Filesystem.file_name, Filesystem.user
| `drop_dm_object_name(Filesystem)`
| sort - count
```

## Splunk SPL — new persistence on engineering hosts (Run keys / startup)

```spl
| tstats `summariesonly` count
    from datamodel=Endpoint.Registry
    where Registry.registry_path IN (
        "*\\CurrentVersion\\Run\\*",
        "*\\CurrentVersion\\RunOnce\\*",
        "*\\CurrentVersion\\Explorer\\Shell Folders\\Startup*",
        "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*")
      AND Registry.action="modified"
    by Registry.dest, Registry.process_name, Registry.registry_path,
       Registry.registry_value_name, Registry.registry_value_data
| `drop_dm_object_name(Registry)`
```

## Defender KQL — IT host scanning OT ports

```kql
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == "ConnectionAttempt" or ActionType == "ConnectionFailed"
| where RemotePort in (102, 502, 1911, 4840, 20000, 44818, 47808, 55000, 55001, 2222, 9600)
| summarize attempts = count(),
            distinctPorts = dcount(RemotePort),
            distinctTargets = dcount(RemoteIP),
            ports = make_set(RemotePort),
            firstSeen = min(Timestamp), lastSeen = max(Timestamp)
            by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)
| where distinctPorts >= 2 or distinctTargets >= 5
| order by attempts desc
```

## Defender KQL — engineering project file changes

```kql
DeviceFileEvents
| where Timestamp > ago(60d)
| where FileName endswith ".l5x" or FileName endswith ".acd"
     or FileName endswith ".s7p" or FileName endswith ".gxw"
     or FileName endswith ".PRG" or FileName endswith ".AAP"
     or FileName endswith ".cwp" or FileName endswith ".tia"
| where ActionType in ("FileCreated","FileModified","FileDeleted")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## Defender KQL — Run-key persistence on engineering workstations

```kql
DeviceRegistryEvents
| where Timestamp > ago(60d)
| where ActionType in ("RegistryValueSet","RegistryKeyCreated")
| where RegistryKey has_any (
    "\\CurrentVersion\\Run","\\CurrentVersion\\RunOnce","Explorer\\Shell Folders\\Startup")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName,
          RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## Why this matters for your SOC

Sector targeting in the article (Israeli water) is tactical; **the technique is universal**. ZionSiphon's three signature behaviours — persistence, config-file tampering, OT port scanning — are *exactly* the same things every other OT-targeted intrusion does. The detections above don't depend on having ZionSiphon's hashes; they catch the **behavioural class**. If your SOC doesn't have OT-port-scan detection live today, this is the article that should make it a Q2 priority. The IT-OT boundary is the most common bridge in OT compromise; that's where these queries pay off.