Worm Plague Hits Industrial Systems: Email Attacks Surge in Q4 2025

Breaking News — A highly targeted worm, Backdoor.MSIL.XWorm, has infected industrial control system (ICS) computers worldwide through phishing emails disguised as job applications, according to new data released today. In Q4 2025, the percentage of ICS computers hit by malicious objects rose sharply in some regions, with an overall global block rate of 19.7% — a slight drop from previous quarters but still a clear warning for critical infrastructure.

The Facts

The new report from Kaspersky’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) reveals that while overall malicious object blocks on ICS computers have declined 1.36 times over the past three years, Q4 2025 saw a dramatic increase in worm-based attacks spread via email. This marks a distinct shift from previous threats that often originated from USB drives or internet connectivity.

Worm Plague Hits Industrial Systems: Email Attacks Surge in Q4 2025 — Source: securelist.com

“Worms in email attachments are a classic vector, but seeing them dominate in an industrial context is alarming. The attackers specifically targeted human resources departments in manufacturing, energy, and transport,” said Alexey Shulgin, head of Kaspersky ICS CERT.

Regional Impacts

Block rates varied wildly by geography. Northern Europe recorded the lowest rate at 8.5%, while Africa saw a staggering 27.3% of ICS computers compromised. Four regions — Southern Europe, South Asia, Western Europe, and South America — experienced notable increases. East Asia had a spike in Q3 2025 due to malicious scripts but returned to baseline in Q4.

“The attackers showed a clear understanding of regional differences. They struck HR recruiters in Western Europe and Canada in October, then shifted to other regions in November,” added Shulgin.

Background

Industrial automation systems — used to control power grids, factories, and pipelines — have long been considered relatively isolated from internet-borne threats. However, recent years have seen a steady erosion of that isolation. The ‘Curriculum-vitae-catalina’ campaign, first spotted in 2024, targets people responsible for hiring with fake resumes. Once opened, the worm gains remote control of the victim’s computer, potentially giving attackers access to ICS networks.

Kaspersky’s telemetry data shows that in Q4 2025, the worm appeared in all regions simultaneously, an unprecedented reach. In Africa, where USB drives remain common, infections also happened when the worm spread via removable storage.

What This Means

This attack wave underscores a critical vulnerability: the human factor. “Worms hitting HR departments can cascade into plant floor infections,” said Maria Garnaeva, security expert at Kaspersky. “Industrial companies must treat email security as seriously as their physical security.”

The biometrics sector, among others, faced heightened risk due to its reliance on software for identity verification. The report warns that similar campaigns using obfuscation techniques will likely continue into 2026.

Key industries affected

Energy (power plants, oil & gas)
Manufacturing (automotive, semiconductors)
Transportation (rail, aviation)
Biometrics

Organizations are urged to update security policies, quarantine suspicious attachments, and train HR staff to identify phishing attempts.

What’s Next

Kaspersky expects the ‘Curriculum-vitae-catalina’ campaign to evolve. The worm’s ability to morph and persist makes it a long-term threat. “The December lull does not mean the danger passed — hackers are likely regrouping,” said Shulgin. ICS owners should monitor block rates and deploy endpoint protection that detects obfuscated malware.