Q&A: Industrial Automation Threat Landscape in Q4 2025 – Trends and Key Threats

<p>Welcome to our comprehensive Q&A on the state of industrial automation system security in Q4 2025. Based on recent data, we explore the declining trend in malware blocking rates, regional variations, and a notable worm campaign that targeted HR departments worldwide. This format provides clear answers to the most pressing questions about the evolving threat landscape.</p><h2 id="q1">What is the overall trend in ICS computer malware blocking percentages from early 2023 through Q4 2025?</h2><p>The percentage of industrial control system (ICS) computers that encountered blocked malicious objects has been steadily decreasing since the beginning of 2024. In Q4 2025, this figure stood at 19.7%, marking a 1.36-fold reduction over the past three years and a 1.25-fold decline compared to Q4 2023. This downward trend suggests improved security measures or changes in attacker tactics, though the absolute risk remains significant. The data reflects a global improvement, but as we will see, regional disparities and new attack vectors keep the threat dynamic.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/15120820/SL-industrial-threats-q4-2025-featured-scaled.jpg" alt="Q&amp;A: Industrial Automation Threat Landscape in Q4 2025 – Trends and Key Threats" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure><h2 id="q2">How did regional percentages for blocked malware on ICS computers vary in Q4 2025?</h2><p>In Q4 2025, the regional distribution of ICS computers with blocked malicious objects ranged widely. The lowest percentage was recorded in Northern Europe at just 8.5%, while Africa experienced the highest at 27.3%. This disparity highlights differences in cybersecurity maturity, attack exposure, and usage patterns like reliance on USB drives. Most regions saw stable or declining rates, but four regions bucked the trend with increases: Southern Europe, South Asia, and others. Notably, East Asia had a sharp spike in Q3 2025 due to local malicious scripts but returned to normal by Q4.</p><h2 id="q3">Which regions saw increases in blocked malware on ICS computers in Q4 2025 and why?</h2><p>Four regions experienced a rise in the percentage of ICS computers with blocked malicious objects during Q4 2025. Southern Europe and South Asia reported the most notable increases, driven by the spread of a specific worm delivered via email attachments. East Asia had previously seen a sharp increase in Q3 2025 due to malicious scripts, but that subsided in Q4. The increases in Q4 were primarily linked to the Backdoor.MSIL.XWorm campaign, which used phishing emails disguised as job applications. This worm bypassed typical defenses and particularly targeted HR systems, contributing to the regional uptick.</p><h2 id="q4">What was the notable worm threat in Q4 2025 and how was it propagated?</h2><p>The standout threat in Q4 2025 was the Backdoor.MSIL.XWorm, a worm designed to establish persistence on infected systems and enable remote control by attackers. It was blocked on ICS computers in all global regions during the quarter, a significant shift since it was absent in the previous quarter. The worm spread primarily through phishing emails containing malicious attachments. The emails were disguised as responses from job applicants, with subject lines like “Resume” or “Attached Resume.” The attached executable file, often named “Curriculum Vitae-Catalina.exe,” installed the worm when executed. Researchers linked this campaign to the “Curriculum-vitae-catalina” series, active since 2024.</p><h2 id="q5">How did the Backdoor.MSIL.XWorm campaign specifically target HR professionals?</h2><p>Attackers focused on HR managers, recruiters, and hiring personnel by sending phishing emails that appeared to be job applications. The emails claimed to include a resume or curriculum vitae, but the attached file was actually the Backdoor.MSIL.XWorm executable. The typical filename was “Curriculum Vitae-Catalina.exe,” designed to appear legitimate. Once opened, it infected the recipient's system and could spread further. This social engineering tactic exploited the trust and urgency inherent in recruitment workflows. The campaign was highly targeted and effective because HR employees are accustomed to receiving unsolicited attachments from candidates.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/15120820/SL-industrial-threats-q4-2025-featured-800x450.jpg" alt="Q&amp;A: Industrial Automation Threat Landscape in Q4 2025 – Trends and Key Threats" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure><h2 id="q6">What were the two waves of the XWorm attack and which regions were affected?</h2><p>The Backdoor.MSIL.XWorm campaign unfolded in two distinct waves during Q4 2025. The first wave occurred in October and primarily targeted Russia, Western Europe, South America, and Canada (North America). A second wave followed in November, hitting other regions worldwide. By December, the attack subsided across all regions. The timing suggests a phased deployment, possibly adjusting targeting based on initial success. The highest blocking rates were observed in regions already struggling with email-borne threats: Southern Europe, South America, and the Middle East. In Africa, the worm also spread via USB drives, adding a non-email vector.</p><h2 id="q7">Why did some regions have higher infection rates for the XWorm worm than others?</h2><p>Regions with historically high rates of threats from email clients on ICS computers were particularly susceptible to Backdoor.MSIL.XWorm. Southern Europe, South America, and the Middle East recorded the highest percentages of ICS computers blocking this worm. These areas likely have less stringent email security or a larger attack surface in HR systems. Additionally, user behavior—such as opening attachments without verification—played a role. In Africa, an extra factor was the active use of USB storage media, which also became a vector for the worm when removable devices were connected to ICS computers. This dual propagation method amplified the regional impact.</p><h2 id="q8">What additional attack vector was observed in Africa for the XWorm worm?</h2><p>In Africa, the Backdoor.MSIL.XWorm was not only spread through phishing emails but also via removable storage media such as USB drives. This is because USB drives remain commonly used in African industrial environments for data transfer and system updates. Attackers likely planted infected drives or the worm self-propagated onto connected USB devices. Once a USB drive was inserted into an ICS computer, the worm could execute and infect the system. This dual vector—email and USB—made the threat particularly persistent in Africa, where blocking rates already exceeded the global average. The incident underscores the need for comprehensive security policies covering both network and removable media.</p>