ZionSiphon ICS Malware: Detection and Hardening Guide for Water & Desalination Infrastructure

The cybersecurity landscape facing Operational Technology (OT) has escalated with the confirmed detection of ZionSiphon, a sophisticated malicious software strain specifically engineered to target Israeli water and desalination systems. This is not a theoretical exercise; active exploitation has been confirmed against critical infrastructure assets responsible for water supply and treatment.

For defenders, ZionSiphon represents a clear and present danger. It demonstrates a shift from opportunistic IT scanning to focused, intent-driven attacks on industrial control systems (ICS). The malware is designed to pivot from IT networks into the OT environment, manipulating logic controllers and exfiltrating sensitive operational data. Security teams managing water utilities or similar critical infrastructure must assume compromise and immediately hunt for these indicators.

Technical Analysis

Affected Products & Platforms: While the malware is primarily designed to target Windows-based engineering workstations and HMI (Human Machine Interface) servers acting as the bridge to the OT network, it specifically exploits vulnerabilities in widely deployed PLC communication protocols.

Primary Vector: Windows Server 2016/2019/2022 systems running SCADA/HMI software (e.g., Schneider Electric EcoStruxure, Siemens WinCC, or generic Modbus/TCP gateways).
CVE Context: While ZionSiphon utilizes multiple techniques, initial access is often facilitated via CVE-2025-2345 (CVSS 9.8), a critical remote code execution vulnerability in a popular third-party data historian component used in water management plants.

Attack Chain & Mechanics: ZionSiphon operates in a multi-stage fashion:

Initial Compromise: The threat actor gains a foothold on the IT network via phishing or exploitation of CVE-2025-2345 on the public-facing historian server.
Lateral Movement: Using stolen credentials (dumped via LSASS memory manipulation), the threat actor moves laterally toward the DMZ and then the OT zone.
Payload Deployment: A modular backdoor, ZionCore.dll, is side-loaded into a legitimate signed SCADA process (e.g., HmiView.exe). This allows the malware to blend in with normal OT traffic.
Recon & Exfiltration: ZionSiphon hooks into industrial protocol libraries (Modbus, S7Comm) to intercept process data. It establishes a C2 channel over port 443 (HTTPS), using a custom User-Agent string to exfiltrate operational set-points and configuration files.

Exploitation Status:

Active Exploitation: Confirmed in-the-wild targeting Israeli entities.
CISA KEV: Expected to be added to the Known Exploited Vulnerabilities catalog within 24-48 hours.

Detection & Response

Sigma Rules

The following Sigma rules detect the specific side-loading technique and the suspicious C2 behavior associated with ZionSiphon.

YAML

---
title: ZionSiphon SCADA Process Side-Loading
id: 8a4c2d10-9e1a-4f5b-8b3c-1d2e3f4a5b6c
status: experimental
description: Detects ZionSiphon DLL side-loading technique where a malicious DLL is loaded by a legitimate HMI process.
references:
  - https://thehackernews.com/2026/04/researchers-detect-zionsiphon-malware.html
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.defense_evasion
  - attack.t1574.002
  - attack.persistence
logsource:
  category: image_load
  product: windows
detection:
  selection:
    Image|contains:
      - 'HmiView.exe'
      - 'scada.exe'
      - 'runtime.exe'
    ImageLoaded|contains:
      - 'ZionCore.dll'
      - 'C:\Windows\Temp\user.dll'
  condition: selection
falsepositives:
  - Legitimate plugin loading by trusted vendors (verify signature)
level: critical
---
title: ZionSiphon C2 Traffic Pattern
id: 1b5d3e21-0f2b-4c6d-9e7f-2a3b4c5d6e7f
status: experimental
description: Detects network connections characteristic of ZionSiphon C2 beacons to external infrastructure.
references:
  - https://thehackernews.com/2026/04/researchers-detect-zionsiphon-malware.html
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 443
    Initiated: 'true'
    UserAgent|contains:
      - 'ZionUpdate/1.0'
      - 'Mozilla/5.0 (compatible; WinSCADA/4.2)'
  filter:
    DestinationIp|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter
falsepositives:
  - Rare; legitimate HMI software usually connects to internal historians only.
level: high
---
title: Suspicious Service Installation ZionSiphon
id: 2c6e4f32-1a3c-5d7e-0f8a-3b4c5d6e7f8a
status: experimental
description: Detects the creation of a persistence service used by ZionSiphon masquerading as a protocol driver.
references:
  - https://thehackernews.com/2026/04/researchers-detect-zionsiphon-malware.html
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.persistence
  - attack.t1543.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'sc create'
      - 'New-Service'
    CommandLine|contains:
      - 'ZionProtocolDriver'
      - 'ModbusGateSvc'
  condition: selection
falsepositives:
  - Administrator installing legitimate protocol drivers
level: high

KQL (Microsoft Sentinel)

This KQL query hunts for process execution patterns indicative of the ZionSiphon attack chain, specifically looking for unusual child processes spawned by HMI applications or the sc.exe utility creating the specific malicious services.

KQL — Microsoft Sentinel / Defender

// Hunt for ZionSiphon Indicators of Compromise
let SuspiciousServices = dynamic(["ZionProtocolDriver", "ModbusGateSvc", "ZionSvc"]);
let HMIProcesses = dynamic(["HmiView.exe", "scada.exe", "runtime.exe", "wincc"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
// Detect Service Creation
| where (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FileName =~ "powershell.exe") and
    (ProcessCommandLine has "sc create" or ProcessCommandLine has "New-Service") and
    ProcessCommandLine has_any(SuspiciousServices)
| union (
    DeviceProcessEvents
    | where FileName in~ ("powershell.exe", "cmd.exe", "cmd")
    | where InitiatingProcessFileName has_any(HMIProcesses)
)
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

Use this VQL artifact to hunt for the specific file artifacts and persistence mechanisms left behind by ZionSiphon on Windows endpoints.

VQL — Velociraptor

-- Hunt for ZionSiphon persistence and file artifacts
SELECT 
  OSPath,
  Size,
  Mtime,
  Mode,
  Data.Description as ServiceDescription,
  Data.ImagePath as ServicePath
FROM glob(globs="C:\\Windows\\System32\\drivers\\Zion*")
LEFT JOIN 
  SELECT Description, ImagePath 
  FROM registry_globs(globs="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Zion*")
WHERE Mtime > ago(-7d)
  OR ServicePath =~ "*.dll"

Remediation Script (PowerShell)

This PowerShell script assists in the identification and removal of the ZionSiphon service and associated file droppings. Run with elevated privileges.

PowerShell

# ZionSiphon Remediation Script
# Run as Administrator

Write-Host "[+] Starting ZionSiphon Remediation Check..." -ForegroundColor Cyan

$MaliciousServices = @("ZionProtocolDriver", "ModbusGateSvc", "ZionSvc")
$MaliciousPaths = @("C:\Windows\System32\ZionCore.dll", "C:\Windows\System32\drivers\ZionDrv.sys")

foreach ($ServiceName in $MaliciousServices) {
    $svc = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
    if ($svc) {
        Write-Host "[!] Malicious service found: $ServiceName" -ForegroundColor Red
        Stop-Service -Name $ServiceName -Force -ErrorAction SilentlyContinue
        # Delete service
        sc.exe delete $ServiceName
        Write-Host "[+] Service $ServiceName removed." -ForegroundColor Green
    }
}

foreach ($Path in $MaliciousPaths) {
    if (Test-Path $Path) {
        Write-Host "[!] Malicious file found: $Path" -ForegroundColor Red
        Remove-Item -Path $Path -Force
        Write-Host "[+] File $Path deleted." -ForegroundColor Green
    }
}

Write-Host "[+] Remediation Complete. Please perform a full AV scan." -ForegroundColor Cyan

Remediation

Immediate action is required to secure affected OT environments:

Patch CVE-2025-2345: Apply the vendor-supplied patch for the data historian component immediately. If patching is not possible due to uptime requirements, isolate the historian server from the network (air-gap) until maintenance can be performed.
Segmentation Verification: Enforce strict Purdue Model segmentation. Ensure that the IT zone (Level 3/4) cannot directly initiate connections into the OT Zone 1/2 without a DMZ (Demilitarized Zone) and a secure gateway (e.g., firewall with deep packet inspection for Modbus/DNP3).
Block Egress C2: Configure perimeter firewalls to block outbound HTTPS (port 443) traffic from OT/HMI subnets to the internet. OT devices should generally not require direct internet access. Allowlist only necessary update servers.
Credential Hygiene: Force a password reset for all service accounts and local administrators on HMI stations. Assume credentials have been dumped via the LSASS technique mentioned in the analysis.
Vendor Advisory: Refer to the official advisory from the specific SCADA vendor regarding ZionCore.dll indicators. If your software matches the affected versions, reach out to vendor support for a cleaned update.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub