{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] OT-Focused Malware Highlights Emerging Risk to Water Infrastructure Systems", "protected": false, "publish_timestamp": "1777818322", "published": true, "threat_level_id": "2", "timestamp": "1777818318", "uuid": "24bd21dd-4f1b-4977-a476-db5f2b552c6b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1565.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#3e2e74", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Replication Through Removable Media - T1091\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0aebeb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Water\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777431614", "to_ids": false, "type": "link", "uuid": "bb3752cb-cbbd-4df5-908d-873d2c1d1b48", "value": "https://blog.polyswarm.io/zionsiphon-ot-focused-malware-highlights-emerging-risk-to-water-infrastructure-systems" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777431614", "to_ids": false, "type": "text", "uuid": "1511d7cf-025a-4d1a-903a-5bc5b4214428", "value": "ZionSiphon is operational technology-focused malware targeting water treatment and desalination facilities in Israel. The sample demonstrates ICS-awareness through industrial protocol interaction capabilities including Modbus, with incomplete support for DNP3 and S7comm. It incorporates geographic and environmental validation controls designed to restrict execution to Israeli water infrastructure systems. The malware attempts persistence through registry autorun entries, privilege escalation, and removable media propagation. Functionality includes network discovery of industrial devices, process manipulation targeting chlorine dosing and flow control, and configuration file modification. A critical validation flaw prevents successful execution, suggesting the analyzed sample represents incomplete development or testing. Embedded pro-Iran and anti-Israel messaging indicates politically motivated intent, though no specific threat actor attribution exists." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777431614", "to_ids": false, "type": "text", "uuid": "e720de2e-15cc-43ed-8080-83c5fe055704", "value": "Name: OT-Focused Malware Highlights Emerging Risk to Water Infrastructure Systems\nAuthor: AlienVault\nAdversary: \nTags: [\"desalination\", \"modbus\", \"removable_media_propagation\", \"ics_targeting\", \"water_treatment\", \"dnp3\", \"geographic_filtering\", \"zionsiphon\", \"chlorine_dosing\", \"s7comm\", \"process_control\"]\nTgtd countries: [\"Israel\"]\nMlwr families: [\"ZionSiphon\"]\nAttack_ids: [\"T1565.001\", \"T1135\", \"T1082\", \"T1106\", \"T1091\", \"T1005\", \"T1021\", \"T1112\", \"T1059\", \"T1083\", \"T1204\", \"T1057\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1203\", \"T1070.004\", \"T1046\", \"T1105\"]\nIndustries: []" }, { "category": "External analysis", "comment": "Dragos dismisses ZionSiphon narrative", "deleted": false, "disable_correlation": false, "timestamp": "1777674223", "to_ids": false, "type": "link", "uuid": "1f7883bd-1d0e-4074-805d-7175e5894b29", "value": "https://www.dragos.com/blog/zionsiphon-ot-malware-analysis" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1777818272", "uuid": "79710e23-11e4-46f0-96ca-0011c2cef0c7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1777818272", "to_ids": true, "type": "md5", "uuid": "45338c3f-8f8c-4a32-a3c9-d75957f9568c", "value": "eb89f018e6c3a8e9de0a0452acb16e76", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1777818272", "to_ids": true, "type": "sha1", "uuid": "6c3c760a-34fc-405f-a804-4098b2ebfee4", "value": "7cdcb8f372ceb7f5d3c178d9649080106a932f9e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1777818272", "to_ids": true, "type": "sha256", "uuid": "7bc217a0-7f7f-4256-b56b-df9e0fb561ec", "value": "07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777818177", "to_ids": true, "type": "ssdeep", "uuid": "80b28ebd-622a-4183-8801-531645341294", "value": "1536:xs44pt0oN4wRdv1s/P5KvTlB1ICt0Qep/oG8gSTBVfYdd+9MWNniBg:xsD1dqpKLlXFPc/oG8gSTf5/niBg" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777818177", "to_ids": false, "type": "size-in-bytes", "uuid": "c24fb07c-f969-437e-8574-0e94da150dbd", "value": "102400" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777818177", "to_ids": true, "type": "vhash", "uuid": "f5087965-145f-4903-99a0-643238d7c6e6", "value": "215036551511c07825a0040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777818177", "to_ids": true, "type": "filename", "uuid": "f41dc2ac-c66c-4f52-887b-281c4484c81b", "value": "aXN0IGFnZ3Jlc3Npb24uIEkgYW.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777818177", "to_ids": false, "type": "text", "uuid": "5aaccec8-e3bb-4bcd-a800-c9aa0d6cd0dd", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Leonem!rfn\nVT Total Detection:54/71\nFirst Submission:2025-06-29T13:07:39.000000+00:00\nLast Submission:2026-04-24T23:49:36.000000+00:00" } ] } ] } }