uJD eItfq V Djfek Dyvy

Email-Borne Worm Surge Targets Industrial Systems as Overall Malware Declines

While malware activity on industrial control systems (ICS) networks shows gradual decline, email-borne worms are driving a new wave of security incidents globally. According to Kaspersky’s Q4 2025 findings, phishing campaigns distributing the XWorm backdoor have significantly reshaped risks for operational technology (OT) environments worldwide.

Across ICS computers globally, the percentage of blocked malicious objects fell to 19.7% in Q4 2025 – the lowest level since 2022 and representing a 1.36-year-over-year decline from late 2022. This suggests improving security posture in many industrial environments.

Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025 (Source: Kaspersky)
Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025 (Source: Kaspersky).

Regional disparities remained stark in Q4 2025, with ICS infection rates ranging from 8.5% in Northern Europe to 27.3% in Africa, highlighting uneven OT security maturity worldwide. While most regions showed improvement, Southern Europe and South Asia experienced notable increases. East Asia saw a brief spike in Q3 2025 due to malicious scripts before returning to baseline levels.

The official report confirms this decreasing trend, noting a 25% reduction since Q4 2023. However, four regions defied the overall downward trajectory.

Email-Worm Surge in Q4 2025

The most significant development was a global surge in email-attached worms across all regions. This spike was primarily driven by Backdoor.MSIL.XWorm – a worm-like backdoor enabling persistent attacker control of compromised systems. Notably, XWorm emerged simultaneously across all regions in Q4 2025 after being absent in the previous quarter.

Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025 (Source: Kaspersky)
Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025 (Source: Kaspersky).

Researchers attribute this outbreak to a new obfuscation technique in phishing campaigns known as “Curriculum-vitae-catalina”. Attackers targeted HR professionals with emails mimicking job applications using subjects like “Resume” and attaching “Curriculum Vitae-Catalina.exe.” The campaign unfolded in two waves during Q4 2025, hitting Western economies in October and other regions in November before subsiding in December.

XWorm’s propagation extended beyond email in Africa, where removable media facilitated secondary spread. This malware surge increased worm detections globally by 1.6-fold to 1.60%, with Southern Europe experiencing the most dramatic rise.

Industry Verticals and Threat Sources

The biometrics sector remains particularly vulnerable due to widely internet-exposed systems and weak cybersecurity at many consumer-facing organizations. While malicious document detections had increased for three consecutive quarters, they decreased by 0.22 percentage points in Q4 2025 to 1.76%.

Percentage of ICS computers on which malicious documents were blocked, Q1 2023–Q4 2025 (Source: Kaspersky)
Percentage of ICS computers on which malicious documents were blocked, Q1 2023–Q4 2025 (Source: Kaspersky).

Key threat sources in Q4 2025 included:

  • Internet-borne threats: 7.67% (lowest in 3 years)
  • Email-borne threats: 0.64–6.34% (highest in Southern Europe)
  • Malicious scripts and phishing pages: 6.58% globally, peaking at 10.50% in South Asia

Despite declining overall malware, Windows-based miners increased to 0.60%, indicating a shift toward specialized, financially motivated attacks targeting industrial systems. Kaspersky solutions blocked malware from 10,142 different families in Q4 2025, with worms and miners being the only rising categories during the quarter.

Related Articles

Back to top button