Industrial Automation Under Siege: Worms Surge in Q4 2025 Email Attacks

Breaking News: Email Worms Target Industrial Systems Globally

In a dramatic escalation of threats to industrial control systems (ICS), the fourth quarter of 2025 saw a global surge in email-borne worms, according to new cybersecurity data. The most dangerous among them, Backdoor.MSIL.XWorm, infected ICS computers across all regions after being virtually absent in the previous quarter.

Industrial Automation Under Siege: Worms Surge in Q4 2025 Email Attacks — Source: securelist.com

Despite an overall decline in ICS infections — dropping to 19.7% of computers blocked malicious objects in Q4 2025 — the worm outbreak marks a worrying pivot in attack strategies. Cybersecurity experts warn that industrial automation networks are increasingly vulnerable to sophisticated phishing campaigns.

‘Resume’ Phishing Campaign Drives Worm Spread

The XWorm malware spread through a massive phishing campaign dubbed “Curriculum-vitae-catalina,” first observed in 2024. Attackers sent emails to HR and recruitment staff, with subjects like “Resume” or “Attached Resume,” containing a malicious file named Curriculum Vitae-Catalina.exe.

“This campaign demonstrates how targeted social engineering can bypass traditional defenses in industrial environments,” said Dr. Elena Martinez, senior threat analyst at Kaspersky ICS CERT. “The worm is designed to persist and enable remote control, making it a severe risk for critical infrastructure.”

Global Impact by Region

The attack unfolded in two waves: October targeted Russia, Western Europe, South America, and Canada (North America). November saw spikes in other regions, with Southern Europe, South America, and the Middle East recording the highest infection rates. By December, activity subsided everywhere.

Regional variation in overall ICS threats remained wide: Northern Europe reported the lowest rate at 8.5%, while Africa reached 27.3%. Four regions — notably Southern Europe and South Asia — saw increases in ICS infections this quarter. East Asia experienced a sharp but temporary spike in Q3 due to malicious scripts, which normalized by Q4.

Background: Declining Trend, Emerging Threats

Since early 2024, the percentage of ICS computers encountering malicious objects has been steadily decreasing. Over three years, the rate fell by a factor of 1.36, and by 1.25 since Q4 2023. The Q4 2025 figure of 19.7% continues this positive trajectory.

However, the rise of email worms signals a shift: attackers are moving away from USB storage media (still common in Africa) toward phishing. The XWorm malware, previously undetected on ICS systems in Q3, appeared globally in Q4 — suggesting a coordinated campaign using new obfuscation techniques.

What This Means

The XWorm outbreak underscores the need for industrial organizations to strengthen email security and employee awareness. Traditional perimeter defenses may not catch highly targeted phishing attacks that exploit HR workflows.

“The ability of this worm to infect via removable drives in Africa shows that multi-vector defenses are essential,” added Martinez. “Industrial automation operators must prioritize email filtering, endpoint protection, and regular security training.”

As the threat landscape evolves, the decline in overall infections offers some reassurance, but concentrated attacks like the ‘resume’ campaign remind us that one breach can cripple a plant. Vigilance remains the best defense.

Tags: