Surge of Email-Borne Worms Threatens Industrial Control Systems: A Deep Dive into Recent Trends
Recent developments in cybersecurity have revealed a troubling trend characterized by a resurgence of email-borne worms targeting industrial control systems (ICS). Despite an overall downward trend in malware activity within these networks, the emergence of this specific threat category marks a significant shift in the risk landscape for operational technology (OT) environments across the globe.
Recent data from Q4 2025 illustrates a notable transformation in malware dynamics, highlighting a phishing-driven distribution of the XWorm backdoor. This new vector has prompted vigilance among security experts, especially since the percentage of ICS computers identified with blocked malicious entities has been on a steady decline since early 2024. By the end of Q4 2025, this figure dropped to 19.7%, the lowest recorded since 2022, a concerning indicator for both security professionals and industries reliant on ICS frameworks.
Regionally, the detection of blocked malicious objects varied greatly, ranging from as low as 8.5% in Northern Europe to a striking 27.3% in Africa, showcasing the persistent geographic disparities in OT security maturity. Over the past three years, the overall metric of blocked threats has decreased by a factor of 1.36, with a 1.25 decline observed since Q4 2023. Such data imply a gradual strengthening of cyber defenses in numerous environments, although the general decline contradicts assertions of overall cybersecurity enhancement.
In an unexpected twist, Q4 2025 saw particular regions such as Southern Europe and South Asia experience an increase in the percentage of ICS systems impacted by blocked malware, despite the overall downward trend. A notable spike was observed in East Asia during the third quarter of 2025, attributable to the local proliferation of malicious scripts, although such levels have since returned to baseline.
Email-Borne Worms: A New Threat Emerge
Among the most alarming revelations of this quarter was the global uptick in worms disseminated through email attachments, highlighting an urgent need for robust cybersecurity measures. This surge is largely linked to Backdoor.MSIL.XWorm, a sophisticated worm-like backdoor engineered to establish persistent control over infected systems. The malware’s emergence in Q4 2025 was particularly striking as it had not been detected on ICS computers in the preceding quarter, indicative of a rapid evolution in threat vectors.
Researchers have attributed this sudden proliferation to a new obfuscation technique utilized in extensive phishing campaigns dubbed "Curriculum-vitae-catalina." These attacks, which targeted Human Resources professionals, recruiters, and hiring authorities, involved deceptive emails that masqueraded as job applications. Common subject lines included "Resume" or "Attached Resume," with malicious executable files cunningly named “Curriculum Vitae-Catalina.exe.” Once these files were executed, they allowed attackers to gain remote access via XWorm, thus breaching system security.
The campaign unfolded in a two-wave series during Q4 2025, experiencing peaks in October and November. Notably, the primary regions affected during October included Russia, Western Europe, South America, and North America, particularly Canada. This was followed by a noticeable uptick in blockings across other regions in November before overall activity subsided in December.
Surprisingly, only one vertical—the oil and gas industry—recorded an increase in the percentage of ICS computers with blocked threats during Q4 2025. Areas in Russia, Central Asia, and the South Caucasus exhibited a higher frequency of blockings; however, trends across most surveyed sectors exhibited a consistent downward trajectory.
The data further revealed that the regions historically plagued by high levels of email-borne threats—including Southern Europe, South America, and the Middle East—observed the highest percentages of ICS computers affected by Backdoor.MSIL.XWorm. In Africa, where the usage of removable USB media in industrial settings remains prevalent, instances of XWorm infections were detected through the connection of such devices, indicating a secondary vector of propagation beyond email threats.
In terms of overall statistics, there was a significant increase in the percentage of ICS computers from which worms were blocked, with the figure rising 1.6-fold to reach 1.60% in Q4 2025. Southern Europe reported the most substantial increase, surging by 2.16 times.
Broader Cybersecurity Implications
The ongoing challenges within the cybersecurity landscape extend into various industries, with the biometrics sector frequently cited as one of the most vulnerable due to widespread internet accessibility and inadequate cybersecurity infrastructure. In a concerning trend, the percentage of malicious document blockages across ICS environments declined by 0.22 percentage points to 1.76% in Q4 2025, following three consecutive quarters of growth.
Kaspersky’s analysis indicated that their security solutions successfully blocked malware across 10,142 distinct families during the same quarter. While categories including worms and Windows-executable miners saw increases, the broader trend indicated diminishing threats emanating from major sources such as the internet, email clients, and removable media.
Interestingly, while the overall exposure to malware appears to be decreasing, targeted financially motivated attacks against industrial systems are increasingly becoming sophisticated and specialized. This reality underscores the necessity for continuous investment in cybersecurity measures and practices to safeguard against evolving threats that may exploit vulnerabilities in ICS environments.
Cybersecurity professionals and organizational leaders are urged to remain vigilant and proactive in adopting comprehensive defense strategies to mitigate the risks posed by these emerging threats, particularly as the landscape of cybercrime continues to evolve.