Industrial Automation Cybersecurity: Q4 2025 Threats and Trends

The fourth quarter of 2025 brought new challenges and shifting patterns in the cybersecurity landscape for industrial automation systems. While the overall percentage of ICS (Industrial Control Systems) computers recording blocked malicious activity continued its steady decline from earlier highs, a notable surge in email‑borne worm attacks created fresh outbreaks across multiple regions. This Q&A explores the key statistics, the rise of the Backdoor.MSIL.XWorm, the deceptive “Curriculum-vitae-catalina” phishing campaigns, and regional variations that security teams should understand. Insights are drawn from the latest Kaspersky ICS CERT data.

1. How did the overall threat level on ICS computers change by Q4 2025?

The proportion of ICS computers on which malicious objects were blocked reached 19.7% in Q4 2025. This figure represents a continuing downward trend that began at the start of 2024. Over the three‑year period from Q1 2023 to Q4 2025, the percentage decreased by a factor of 1.36; comparing Q4 2023 with Q4 2025 shows a reduction of 1.25 times. Although the headline numbers improved, the quarter saw new attack vectors—particularly email worms—that caused localized spikes. The decline suggests that baseline security measures are improving, but the emergence of novel threats reminds us that attackers are constantly adapting their tactics.

2. Which regions recorded the highest and lowest percentages of blocked threats?

Regional disparities remained wide. Africa had the highest share, with 27.3% of ICS computers blocking malicious objects. At the opposite end, Northern Europe recorded the lowest, at 8.5%. Four regions—including Southern Europe and South Asia—experienced an increase in blocked threats during Q4 2025. In the previous quarter, East Asia had seen a sharp rise driven by the local spread of malicious scripts, but by Q4 that figure had returned to normal. The variation underscores how regional security postures, user behaviors, and attack campaigns can affect risk levels differently.

3. What was the most notable threat vector in Q4 2025?

The standout vector was worms in email attachments. During Q4 2025, the percentage of ICS computers where such worms were blocked increased in every global region. Many of these detections were linked to the worm Backdoor.MSIL.XWorm. This malware is designed to maintain persistence on infected systems and enable remote control by attackers. Interestingly, this particular threat had not been observed on ICS computers in the preceding quarter, making its sudden worldwide appearance a significant event. The widespread nature of the outbreak points to a coordinated campaign that leveraged email as the primary entry point.

4. How was the Backdoor.MSIL.XWorm distributed, and what was the “Curriculum-vitae-catalina” campaign?

The distribution relied heavily on phishing emails. Attackers sent messages disguised as job applicant responses, with subject lines like “Resume” or “Attached Resume.” The malicious attachment was named Curriculum Vitae‑Catalina.exe. When opened, it infected the system with Backdoor.MSIL.XWorm. This campaign, known since 2024 as “Curriculum‑vitae‑catalina,” specifically targeted HR managers, recruiters, and hiring personnel. The attackers likely used a new obfuscation technique that allowed the malware to evade detection during the massive phishing runs in Q4 2025. The campaign illustrates how social engineering continues to be an effective method for breaching industrial environments.

5. When and where did the XWorm attacks occur?

The threat spread in two waves. The first wave hit in October 2025 and affected Russia, Western Europe, South America, and Canada (North America). The second wave came in November, affecting other regions—including Africa, the Middle East, and parts of Asia. By December, blocking activity subsided across all regions. The highest percentages of ICS computers blocking Backdoor.MSIL.XWorm were observed in regions where email‑borne threats had historically been frequent: Southern Europe, South America, and the Middle East. This historical predisposition suggests that user behavior (e.g., reliance on email for business communication) created favorable conditions for the worm to proliferate.

6. Why did some regions experience the threat differently?

Regional differences stemmed from prevalent attack vectors and local habits. For example, in Africa, where USB storage media remain widely used, the worm was also detected when removable devices were connected to ICS computers—not just via email. In contrast, regions with more mature email‑security awareness still faced risks because the phishing emails were carefully crafted to mimic genuine job applications. The interplay of email and removable media highlights the need for multifaceted defenses. Additionally, the worm’s use of a new obfuscation technique likely helped it bypass traditional signature‑based detection in the early stages of the campaign, affecting regions with different security stack maturity levels.

7. Which industries were most impacted by the Q4 2025 threats?

While complete industry‑level data is limited, the biometrics sector was specifically highlighted as experiencing attacks. This sector often overlaps with industrial automation for access control and identity management systems. The “Curriculum‑vitae‑catalina” campaign’s focus on HR personnel means that any organization with active hiring—including industrial automation firms—could be targeted. The worm’s ability to remotely control infected computers makes it particularly dangerous for ICS environments, where a compromised workstation can serve as a pivot point to disrupt operational technology. Overall, the Q4 2025 data reinforces that industrial automation security must address both traditional malware and sophisticated email‑based social engineering aimed at human operators.