A newly discovered malware strain is raising concerns in the cybersecurity community after researchers identified its potential to target critical water infrastructure.

The malware, named ZionSiphon, appears designed to infiltrate systems linked to desalination plants and water treatment facilities, particularly those associated with Israel’s national infrastructure.

Security analysts found that the malware combines traditional cyberattack techniques with specialized targeting logic aimed at industrial environments.

Its design suggests an attempt to move beyond data theft or disruption, focusing instead on manipulating real-world processes.

Targeted Infrastructure and Political Signals

One of the most notable aspects of ZionSiphon is its clear geographic and sector-specific targeting.

The malware includes hardcoded IP address ranges associated with Israeli networks, ensuring it activates only within a defined region.

This level of targeting indicates a deliberate and focused campaign rather than a widespread opportunistic attack.

Further analysis reveals embedded references to key components of Israel’s water system, including major desalination plants and water management organizations.

These elements suggest the attackers aimed to disrupt essential services tied to drinking water production and wastewater treatment.

In addition to technical indicators, the malware also contains politically charged messages hidden within its code.

These messages point toward ideological motivations behind the campaign, highlighting how cyberattacks are increasingly being used as tools for geopolitical signaling.

Sabotage Capabilities and Technical Limitations

ZionSiphon is built with multiple capabilities commonly seen in advanced malware. It can escalate privileges, establish persistence on infected systems, and spread through removable media such as USB drives.

Once active, it checks whether the infected system matches both geographic and environmental conditions before executing its payload.

If these conditions are met, the malware attempts to tamper with configuration files used in desalination and water treatment systems.

For example, it modifies settings for chlorine levels and pressure controls, actions that could disrupt water safety and operational stability.

The malware also includes functions to scan local networks for industrial control systems using protocols such as Modbus.

This indicates an intent to interact directly with operational technology, which manages physical processes in industrial environments.

However darktrace, despite its concerning design, the current version of ZionSiphon appears incomplete. Researchers observed flaws in its targeting logic that prevent it from properly identifying intended systems.

Some communication modules for industrial protocols are also only partially developed, limiting their effectiveness.

Even so, experts warn that the malware represents an important evolution in cyber threats. It highlights a growing trend of attackers experimenting with tools that can impact critical infrastructure, particularly in sectors such as water and energy.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Cyberattack Targets Israeli Desalination Plants With Sabotage Malware appeared first on Cyber Security News.

University student says he plans to move to Android, but concedes iOS engineers acting fast

Apple is finally working on a fix for a bug that has locked some users out of their iPhones for months, The Register understands.…

The security researcher who earlier this month published a proof-of-concept (PoC) exploit for a zero-day privilege escalation vulnerability in Microsoft Defender is back with two more. The first, dubbed “RedSun,” is another privilege escalation flaw in the same platform. The second, “UnDefend,” allows a standard user to block Microsoft Defender from receiving signature updates or disable it entirely (if Microsoft pushes a major Defender update). And, according to Huntress researchers, all three exploitation techniques have … More →

The post Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild appeared first on Help Net Security.

Google claims that its security teams work around the clock using its Gemini AI models to detect and stop harmful ads. “Bad actors are using generative AI to create deceptive ads at scale, and Gemini helps us detect and block them in real time” Keerat Sharma, VP and GM, Ads Privacy and Safety, Google, said. “Our models analyze hundreds of billions of signals — including account age, behavioral cues and campaign patterns — to stop … More →

The post Google wipes out 602 million scam ads with Gemini on duty appeared first on Help Net Security.

Microsoft has confirmed that some Windows Server 2025 systems are entering reboot loops after installing its April 2026 Patch Tuesday update, raising concerns among enterprise administrators and IT teams.

The issue is linked to cumulative update KB5082063 (OS Build 26100.32690), released on April 14, 2026.

While the update includes important security fixes and performance improvements, Microsoft acknowledged that domain controllers may restart repeatedly after installation, effectively creating a reboot loop scenario that can disrupt critical infrastructure.

According to Microsoft’s official release notes and Windows release health dashboard, the problem primarily affects domain controllers, which are essential for authentication and Active Directory operations in enterprise environments.

Repeated restarts in such systems can lead to authentication failures, service outages, and network instability.

The April update was designed to introduce several security enhancements, including improvements to Secure Boot certificate deployment and Kerberos authentication.

Notably, Microsoft modified Kerberos Key Distribution Center (KDC) behavior to use stronger AES-based encryption by default, addressing risks tied to CVE-2026-20833.

However, these authentication-related changes may be contributing to system instability in certain configurations.

Microsoft also highlighted additional known issues tied to the update. Devices using unsupported or misconfigured BitLocker Group Policy settings may be forced into BitLocker recovery mode after installation.

In parallel, Windows Server Update Services (WSUS) is reportedly failing to display detailed error messages, making troubleshooting more difficult for administrators.

Beyond the reboot loop issue, KB5082063 includes several improvements:

• Enhanced protection against malicious Remote Desktop (.rdp) files by showing connection settings before execution.
• Improved SMB compression reliability over QUIC, reducing timeout issues.
• Updates to Windows Deployment Services (WDS), where the “Hands-Free Deployment” feature is now disabled by default due to security hardening linked to CVE-2026-0386.
• Better handling of PowerShell registry imports and improved Bluetooth device management.

Microsoft has not yet released an out-of-band patch or full mitigation guidance for the reboot loop issue at the time of writing.

However, administrators are advised to closely monitor affected systems and review update deployment strategies, especially in domain controller environments.

As an immediate precaution, security teams should:

• Delay deployment of KB5082063 on critical servers until further guidance is issued.
• Ensure recent system backups are available for rapid recovery.
• Monitor domain controller uptime and authentication logs for anomalies.
• Validate BitLocker configurations to avoid unexpected recovery prompts.

This incident highlights the ongoing risk associated with monthly security updates, where critical fixes can sometimes introduce operational instability.

Organizations are encouraged to test patches in controlled environments before wide deployment to minimize disruption.

Microsoft is expected to provide further updates or mitigation steps as investigations continue.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Microsoft Confirms Windows Servers Enter Reboot Loops Following April Patches appeared first on Cyber Security News.