Industrial Automation Cybersecurity: Q4 2025 Threat Report – Worms on the Rise via Phishing

Overview: A Mixed Threat Landscape

The fourth quarter of 2025 presented a nuanced picture for industrial automation system security. While the overall percentage of ICS computers encountering malicious objects continued its downward trend—dropping to 19.7%—a sophisticated worm campaign targeting human resources departments emerged as a notable exception. This report examines the key statistics, regional variations, and a particularly aggressive phishing campaign that exploited resume-themed lures to distribute Backdoor.MSIL.XWorm.

Global Statistics: A Continuing Decline

Since the start of 2024, the proportion of ICS endpoints blocking malware has steadily decreased. In Q4 2025, it stood at 19.7%, representing a 1.36-fold drop over three years and a 1.25-fold reduction compared to Q4 2023. This trend suggests improving baseline security posture across many organizations, though regional disparities remain significant.

Regional Breakdown

The percentage of ICS computers recording blocked malicious objects varied widely by region. Northern Europe posted the lowest rate at 8.5%, while Africa recorded the highest at 27.3%. Four regions experienced increases compared to the prior quarter:

• Southern Europe
• South Asia
• East Asia (after a sharp spike in Q3 due to local script-based threats, which normalized in Q4)
• Additional regions detailed below

Featured Threat: Email-Distributed Worms

In Q4 2025, a particularly aggressive worm spread via email attachments affected ICS computers across all regions. The primary malware was Backdoor.MSIL.XWorm, designed for persistence and remote control of infected systems. Notably, this threat had not been detected on ICS computers in Q3, making its sudden global appearance in Q4 highly significant.

Phishing Campaign: Curriculum-Vitae-Catalina

Security researchers linked the surge in Backdoor.MSIL.XWorm to a phishing campaign known since 2024 as “Curriculum-vitae-catalina.” Attackers sent emails disguised as job applicant responses, with subject lines like “Resume” or “Attached Resume.” The malicious attachment was often named Curriculum Vitae-Catalina.exe, which when executed infected the system.

The campaign specifically targeted HR managers, recruiters, and hiring decision-makers. Two waves occurred: October hit Russia, Western Europe, South America, and Canada; November saw spikes in other regions. Blocks subsided globally by December.

Regional Impact and Vectors

The highest rates of Backdoor.MSIL.XWorm blocking were observed in regions with historically high rates of email-threat detection on ICS computers: Southern Europe, South America, and the Middle East. In Africa, where USB storage media remain prevalent, the worm was also detected when removable devices were connected to ICS endpoints—indicating multi-vector propagation.

Selected Industries: Early Signals

The biometrics sector experienced early signs of threat activity (data truncated in original report). Further investigation is needed to confirm whether this sector faced targeted attacks or collateral exposure from the broader phishing wave.

Conclusion

Q4 2025’s threat landscape for industrial automation systems was defined by a welcome overall decline in malware encounters, tempered by a highly organized worm campaign that leveraged social engineering and global reach. Organizations should reinforce email security, update phishing training, and monitor for Backdoor.MSIL.XWorm indicators—especially in HR workflows. The drop in general attack rates may reflect improved defenses, but the focused worm attack serves as a reminder that adversaries continue to evolve their tactics.

Back to statistics | Back to featured threat