Q4 2025 Cybersecurity Report: Industrial Automation Systems Face Rising Email-Borne Worms Amidst Overall Threat Decline

<h2>Decline in Malicious Activity on ICS Systems: A Three-Year Trend</h2> <p>Since the beginning of 2024, industrial control system (ICS) computers have experienced a steady reduction in the detection of malicious objects. In the fourth quarter of 2025, the percentage of ICS computers where such threats were blocked reached 19.7%, continuing a downward trajectory. Over the past three years, this figure has dropped by 1.36 times, and relative to Q4 2023, it has decreased by 1.25 times. This sustained decline suggests improving security postures across industrial environments, though regional disparities remain significant.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/15120820/SL-industrial-threats-q4-2025-featured-scaled.jpg" alt="Q4 2025 Cybersecurity Report: Industrial Automation Systems Face Rising Email-Borne Worms Amidst Overall Threat Decline" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <h3 id="regional-disparities">Regional Disparities in Infection Rates</h3> <p>Across the globe, the proportion of ICS computers encountering malicious objects varied widely in Q4 2025. The lowest rate was recorded in Northern Europe at 8.5%, while Africa topped the list at 27.3%. This range underscores how geographic, economic, and infrastructural factors influence cybersecurity resilience in industrial settings.</p> <h3 id="regional-increases">Notable Regional Increases</h3> <p>While most regions saw stable or declining rates, four areas experienced notable upticks. Southern Europe and South Asia recorded the most pronounced rises. In East Asia, a sharp spike occurred in Q3 2025 due to the rapid local spread of malicious scripts; however, the situation normalized by Q4 2025, with rates returning to baseline levels.</p> <h2 id="defining-threat">The Quarter's Defining Threat: Worm Attacks via Phishing Emails</h2> <p>A standout characteristic of Q4 2025 was the global surge in worms distributed through email attachments. This attack vector affected ICS computers in every region analyzed, marking a shift from previous quarters where such threats were more localized. The primary culprit behind this wave was the Backdoor.MSIL.XWorm malware.</p> <h3 id="xworm-details">Backdoor.MSIL.XWorm: The Leading Malware</h3> <p>Backdoor.MSIL.XWorm is designed for persistence and remote control of infected systems. Notably, this threat was absent from ICS computers in Q3 2025 but appeared in all regions during Q4. Researchers attribute its rapid spread to the use of a novel obfuscation technique employed in massive phishing campaigns.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/15120820/SL-industrial-threats-q4-2025-featured-800x450.jpg" alt="Q4 2025 Cybersecurity Report: Industrial Automation Systems Face Rising Email-Borne Worms Amidst Overall Threat Decline" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <h3 id="catalina-campaign">The 'Curriculum-Vitae-Catalina' Campaign</h3> <p>These phishing campaigns, known since 2024 as "Curriculum-vitae-catalina," targeted human resources professionals and hiring managers. Attackers sent emails disguised as job applicant responses, with subject lines like "Resume" or "Attached Resume." The emails contained executable files masquerading as documents, frequently named <strong>Curriculum Vitae-Catalina.exe</strong>. When executed, the file infected the system with Backdoor.MSIL.XWorm.</p> <h3 id="two-waves">Global Spread in Two Waves</h3> <p>The campaign unfolded in two distinct waves. The first, in October 2025, impacted <strong>Russia, Western Europe, South America, and Canada</strong>. The second wave, in November, spread to other regions worldwide. By December, the attack subsided across all areas. The highest block rates were observed in regions with a historical prevalence of email-based threats on ICS computers, including <strong>Southern Europe, South America, and the Middle East</strong>.</p> <h3 id="regional-factors">Regional Vulnerability Factors</h3> <p>In Africa, where USB storage media remain a common vector for data transfer, the worm was also detected when removable devices were connected to ICS computers. This highlights how local practices can create additional exposure even when email-borne threats are the primary focus.</p> <p>Overall, Q4 2025 demonstrates that while the broad threat to ICS systems is declining, targeted campaigns—especially those leveraging social engineering and email attachments—can still achieve global reach. Organizations should remain vigilant against phishing attacks and ensure that employees handling sensitive recruitment processes are trained to recognize malicious payloads.</p>