Q4 2025 ICS Threat Report: Phishing Worms Surge Amid Declining Infection Rates
<p>In the final quarter of 2025, industrial control system (ICS) computers faced a shifting threat landscape. While overall infection rates continued their downward trend—a positive sign for defenders—a new wave of worm-laden phishing emails struck organizations worldwide. This report breaks down the key findings, from regional variations to the infamous Backdoor.MSIL.XWorm campaign.</p>
<h2 id="q1">1. What was the overall threat landscape for ICS computers in Q4 2025?</h2>
<p>During Q4 2025, the percentage of ICS computers where malicious objects were blocked stood at <strong>19.7%</strong>. This marks a continued decline from the start of 2024. Over the past three years, the rate dropped by a factor of 1.36, and compared to Q4 2023, it fell by 1.25 times. Despite this encouraging trend, threats remain pervasive, especially in certain regions and via specific attack vectors. The decrease is likely due to improved security awareness and updated defenses, but new campaigns, particularly those using email worms, remind us that attackers constantly adapt.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/15120820/SL-industrial-threats-q4-2025-featured-scaled.jpg" alt="Q4 2025 ICS Threat Report: Phishing Worms Surge Amid Declining Infection Rates" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure>
<h2 id="q2">2. How did regional infection rates vary in Q4 2025?</h2>
<p>Infection rates differed widely across the globe. The lowest percentage of ICS computers with blocked malicious objects was <strong>8.5% in Northern Europe</strong>, while the highest was <strong>27.3% in Africa</strong>. Four regions actually saw an increase in their infection percentages during Q4 2025, with the most notable jumps in <strong>Southern Europe</strong> and <strong>South Asia</strong>. Earlier in Q3 2025, East Asia experienced a sharp spike due to local spread of malicious scripts, but by Q4 the figure had normalized. These regional disparities often correlate with email usage patterns, USB drive prevalence, and the sophistication of local cybercriminal groups.</p>
<h2 id="q3">3. What was the standout threat involving worms in email during Q4 2025?</h2>
<p>The quarter’s defining feature was a global increase in <strong>worm-laden email attachments</strong> on ICS computers. Unlike previous quarters, every region recorded a rise in such threats. The primary culprit was <strong>Backdoor.MSIL.XWorm</strong>, a malware designed to persist on infected systems and allow remote control. What made this outbreak remarkable was its sudden appearance: in Q3 2025, this threat was virtually absent from ICS systems, but in Q4 it emerged across all regions simultaneously. Researchers linked the spread to a new obfuscation technique used in ongoing phishing campaigns, notably one known since 2024 as <strong>"Curriculum-vitae-catalina"</strong>.</p>
<h2 id="q4">4. How did the Backdoor.MSIL.XWorm campaign target HR departments?</h2>
<p>Attackers used social engineering to target <strong>HR managers, recruiters, and hiring personnel</strong>. They sent phishing emails with subjects like <em>"Resume"</em> or <em>"Attached Resume"</em>, containing a malicious executable file named <strong>Curriculum Vitae-Catalina.exe</strong>. When recipients opened the file, it infected their systems with the XWorm backdoor. These attacks were not random; they leveraged professional trust and urgency. The campaign peaked in two waves: first in <strong>October</strong> hitting Russia, Western Europe, South America, and Canada; then in <strong>November</strong> spreading to other regions. By December, the activity subsided globally.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/15120820/SL-industrial-threats-q4-2025-featured-800x450.jpg" alt="Q4 2025 ICS Threat Report: Phishing Worms Surge Amid Declining Infection Rates" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure>
<h2 id="q5">5. Which regions were most affected by the XWorm email worm?</h2>
<p>The highest percentages of ICS computers blocking Backdoor.MSIL.XWorm were observed in regions where email-originating threats had historically been high: <strong>Southern Europe, South America, and the Middle East</strong>. These areas have large numbers of ICS systems exposed to email clients. Interestingly, <strong>Africa</strong> also showed significant detections, but there the infection often spread via <strong>USB storage media</strong> rather than email. This suggests that in regions where removable drives remain common, worms can propagate through multiple vectors. The dual wave—October in some areas, November in others—indicates a coordinated, phased campaign by threat actors.</p>
<h2 id="q6">6. What industries were particularly targeted in Q4 2025?</h2>
<p>While the full industry breakdown is not detailed in this report, the phishing campaign specifically targeted <strong>HR departments</strong> across many sectors. Additionally, the <strong>biometrics sector</strong> is mentioned as having experienced notable incidents, though exact statistics are incomplete. Given that HR professionals were the entry point, any industry that hires externally—from manufacturing to technology—was potentially at risk. The use of resume-themed lures suggests attackers were after <strong>corporate networks</strong> that include ICS environments, possibly aiming to pivot from office systems to industrial controls. Organizations with weak email security or untrained staff were especially vulnerable.</p>
Tags: