Threat landscape for industrial automation systems in Q4 2025

In Q4 2025, industrial automation systems faced a notable surge in malware infections, specifically driven by the XWorm backdoor distributed via phishing campaigns. The Curriculum-vitae-catalina campaign targeted HR personnel globally using malicious resume attachments, resulting in increased blocking rates across Southern Europe, South America, and the Middle East. While overall ICS threat detection rates decreased historically, this quarter saw a spike in worms and miners. The XWorm malware enables persistent remote control of infected systems, posing significant risks to operational technology integrity. The oil and gas sector experienced increased targeting in Russia and Central Asia. Mitigation efforts should prioritize email security controls, user awareness training regarding job application phishing, and restricting executable files from untrusted sources. Removable media also remains a vector in regions like Africa. Organizations must enhance monitoring on ICS networks to detect lateral movement and command-and-control traffic associated with backdoor functionalities.

The report contains industrial threat statistics for Q4 2025. It covers various infection vectors and malware types, as well as regional statistics and statistics by industry.

In Q4 2025, industrial automation systems faced a notable surge in malware infections, specifically driven by the XWorm backdoor distributed via phishing campaigns. The Curriculum-vitae-catalina campaign targeted HR personnel globally using malicious resume attachments, resulting in increased blocking rates across Southern Europe, South America, and the Middle East. While overall ICS threat detection rates decreased historically, this quarter saw a spike in worms and miners. The XWorm malware enables persistent remote control of infected systems, posing significant risks to operational technology integrity. The oil and gas sector experienced increased targeting in Russia and Central Asia. Mitigation efforts should prioritize email security controls, user awareness training regarding job application phishing, and restricting executable files from untrusted sources. Removable media also remains a vector in regions like Africa. Organizations must enhance monitoring on ICS networks to detect lateral movement and command-and-control traffic associated with backdoor functionalities. The report contains industrial threat statistics for Q4 2025. It covers various infection vectors and malware types, as well as regional statistics and statistics by industry. Statistics across all threats The percentage of ICS computers on which malicious objects were blocked has been decreasing since the beginning of 2024. In Q4 2025, it was 19.7%. Over the past three years, the percentage has decreased by 1.36 times, and by 1.25 times since Q4 2023. Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025 Regionally, in Q4 2025, the percentage of ICS computers on which malicious objects were blocked ranged from 8.5% in Northern Europe to 27.3% in Africa. Regions ranked by percentage of ICS computers on which malicious objects were blocked Four regions saw an increase in the percentage of ICS computers on which malicious objects were blocked. The most notable increases occurred in Southern Europe and South Asia. In Q3 2025, East Asia experienced a sharp increase triggered by the local spread of malicious scripts, but the figure has since returned to normal. Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025 Feature of the quarter: worms in email In Q4 2025, the percentage of ICS computers on which wormsinemailattachments were blocked increasedinallregions of the world. Many of the blocked threats were related to the worm Backdoor.MSIL.XWorm. This malware is designed to persist on the system and then remotely control it. Interestingly, this threat was not detected on ICS computers in the previous quarter, yet it appeared in all regions in Q4 2025. A study found that the active spread of Backdoor.MSIL.XWorm via phishing emails was likely linked to the use by hackers of another malware obfuscation technique that was actively used during massive phishing campaigns in Q4 2025. These campaigns have been known since 2024 as “Curriculum-vitae-catalina”. The attackers distributed phishing emails to HR managers, recruiters, and employees responsible for hiring. The messages were disguised as responses from job applicants with subjects such as “Resume” or “Attached Resume” and contained a malicious executable file under the guise of a curriculum vitae. Typically, the file was named Curriculum Vitae-Catalina.exe. When executed, it infected the system. In Q4 2025, the threat spread across regions in two waves — one in October and another in November. Russia, Western Europe, South America, and North America (Canada) were attacked in October. A spike in Backdoor.MSIL.XWorm blocking was observed in other regions in November. The attack subsided in all regions in December. The highest percentage of ICS computers on which Backdoor.MSIL.XWorm was blocked was observed in regions where threats from email clients had been historically blocked at high rates on ICS computers: Southern Europe, South America, and the Middle East. At the same time, in Africa, where USB storage media are still actively used, the threat was also detected when removable devices were connected to ICS computers. Selected industries The biometrics sector has historically led the rankings of industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked. These systems are characterized by accessibility to and from the internet, as well as minimal cybersecurity controls by the consumer organization. Rankings of industries and OT infrastructure by percentage of ICS computers on which malicious objects were blocked In Q4 2025, the percentage of ICS computers on which malicious objects were blocked increased only in one sector: oil and gas. The corresponding figures increased in two regions: Russia, and Central Asia and the South Caucasus. However, if we look at a broader time span, there is a downward trend in all the surveyed industries....