{ "Event": { "analysis": "1", "date": "2026-04-16", "extends_uuid": "", "info": "[Threat Intel] Inside ZionSiphon: Darktrace\u2019s Analysis of OT Malware Targeting Israeli Water Systems", "protected": false, "publish_timestamp": "1777816507", "published": true, "threat_level_id": "2", "timestamp": "1777674241", "uuid": "ffefe5df-a7b5-423b-b877-d72ed6b5e19b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Water\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Replication Through Removable Media\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776690257", "to_ids": false, "type": "link", "uuid": "5cfd3469-68bf-4042-bace-75f8f47647f7", "value": "https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems" }, { "category": "External analysis", "comment": "Dragos dismisses ZionSiphon narrative", "deleted": false, "disable_correlation": false, "timestamp": "1777674241", "to_ids": false, "type": "link", "uuid": "6dda1791-5327-4c98-b0eb-c8d21d6f7ed1", "value": "https://www.dragos.com/blog/zionsiphon-ot-malware-analysis" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776736326", "uuid": "97ad61f3-6c65-4f43-b738-6e407ba77b4a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776736326", "to_ids": true, "type": "md5", "uuid": "38acf77e-98af-4b80-b1a9-b933729ae1e5", "value": "eb89f018e6c3a8e9de0a0452acb16e76", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776735737", "to_ids": true, "type": "sha1", "uuid": "ab62d5ea-cbd6-4ab8-8c1e-578dc2fda8d6", "value": "7cdcb8f372ceb7f5d3c178d9649080106a932f9e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776735737", "to_ids": true, "type": "sha256", "uuid": "a08d6ec5-a091-4008-b5a0-f164ee52faa7", "value": "07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776733718", "to_ids": true, "type": "ssdeep", "uuid": "e000bc64-d1d9-42ff-b08b-4a6d534ffec0", "value": "1536:xs44pt0oN4wRdv1s/P5KvTlB1ICt0Qep/oG8gSTBVfYdd+9MWNniBg:xsD1dqpKLlXFPc/oG8gSTf5/niBg" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776733718", "to_ids": false, "type": "size-in-bytes", "uuid": "b94ff65d-b933-40db-8e78-30002ca564c1", "value": "102400" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776733718", "to_ids": true, "type": "vhash", "uuid": "bdc3656a-414c-48b2-9e10-ed658d8d0d9f", "value": "215036551511c07825a0040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776733718", "to_ids": true, "type": "filename", "uuid": "cb66eae3-047c-44a2-8162-8999dc2acf89", "value": "aXN0IGFnZ3Jlc3Npb24uIEkgYW.exe" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 21/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776733718", "to_ids": false, "type": "text", "uuid": "afd18285-1a3f-4056-b28d-03c78951189c", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Leonem!rfn\nVT Total Detection:49/72\nFirst Submission:2025-06-29T13:07:39.000000+00:00\nLast Submission:2025-08-30T16:19:00.000000+00:00" } ] } ] } }