As we close out 2025, the industrial automation sector continues to navigate an evolving threat environment. The latest data reveals a mixed bag: while overall malware detection rates on industrial control system (ICS) computers have dropped compared to previous years, certain attack vectors—especially email-borne worms—are making an alarming comeback. This article dives into six key findings from Q4 2025, covering global statistics, regional trends, and the resurgence of targeted phishing campaigns. Whether you're a security professional or an operations manager, these insights will help you understand where the greatest risks lie and how to fortify your defenses.
1. Overall Malware Block Rate Continues Its Downward Trend
In Q4 2025, the percentage of ICS computers where malicious objects were blocked stood at 19.7%, a notable decline from earlier periods. Over the past three years, this figure has decreased by a factor of 1.36, and compared to Q4 2023, it has dropped by 1.25 times. This sustained reduction suggests that security measures—such as improved endpoint protection, patch management, and user awareness—are gradually paying off. However, the absolute number remains substantial, indicating that no organization can afford to let its guard down. The downward trend is encouraging, but the threat landscape remains dynamic, with new attack techniques emerging regularly.
2. Wide Regional Disparities Persist
Regionally, the malware block rate varied dramatically in Q4 2025, from a low of 8.5% in Northern Europe to a high of 27.3% in Africa. This gap highlights the uneven distribution of cybersecurity resources, regulatory environments, and operational practices across the globe. While Northern Europe benefits from advanced security postures and strong compliance frameworks, many African nations still rely on older systems and limited threat intelligence. Notably, four regions experienced an increase in the block rate compared to the previous quarter. The most significant upticks occurred in Southern Europe and South Asia, driven by a combination of targeted attacks and user behavior. These regional differences underscore the importance of localized threat intelligence in developing effective defense strategies.
3. East Asia’s Temporary Spike: A Warning for All
East Asia witnessed a sharp, temporary increase in blocked threats during Q3 2025, caused by the local spread of malicious scripts. This surge briefly elevated the region’s block rate before it returned to normal levels in Q4. The incident serves as a cautionary tale: even in areas with generally strong cybersecurity, a single vector—like a widely distributed script—can cause a rapid spike in infections. The quick recovery suggests that regional response mechanisms are effective, but the episode also highlights the need for continuous monitoring. Organizations should remain vigilant against script-based threats, which can propagate quickly through shared networks and automated processes.
4. Feature of the Quarter: Email Worms Resurge
A standout threat in Q4 2025 was the widespread distribution of worms via email attachments. Unlike the declining overall trends, the block rate for worm-infested emails increased in every region. The primary culprit was Backdoor.MSIL.XWorm, a sophisticated malware designed to establish persistent remote control over infected systems. This worm evaded detection by employing a new obfuscation technique that had not been widely observed on ICS computers until now. The sudden global appearance—after being absent in Q3—suggests that threat actors are actively innovating their payload delivery methods. For defenders, this resurgence means that email security filters and user training must be continuously updated to counter evolving tactics.
5. The “Curriculum-vitae-catalina” Phishing Campaign
The spread of Backdoor.MSIL.XWorm was largely fueled by a phishing campaign known as “Curriculum-vitae-catalina”, which had been active since 2024. Attackers targeted HR professionals, recruiters, and hiring managers with emails disguised as job applicant responses. Subjects like “Resume” or “Attached Resume” lured recipients into opening an executable file typically named Curriculum Vitae-Catalina.exe. Once executed, the payload silently infected the ICS computer. This campaign exemplifies social engineering tailored to specific roles within industrial organizations. By preying on the high volume of legitimate resume submissions, the attackers bypassed initial suspicion. Industrial companies should educate their HR departments about such threats and enforce strict policies against opening unsolicited attachments.
6. Two Waves of Global Infection
The Backdoor.MSIL.XWorm outbreak followed a distinct two-wave pattern. In October, the worm was predominantly blocked in Russia, Western Europe, South America, and parts of North America (Canada). Then, in November, a second wave swept across other regions, with detection rates spiking sharply. By December, activity subsided globally. The highest concentrations of infected ICS computers were found in Southern Europe, South America, and the Middle East—regions where email-born threats have historically been a significant problem. Interestingly, in Africa, the worm also propagated via USB storage devices, reflecting the continued use of removable media in certain industrial environments. This multimodal spread reinforces the need for layered defenses that address both email and physical media vectors.
Looking Ahead
The Q4 2025 data paints a picture of a cybersecurity landscape that is improving in some ways but remains volatile in others. While the overall downward trend in malware block rates is encouraging, the resurgence of email worms and targeted phishing campaigns reminds us that attackers are constantly adapting. Industrial automation systems—especially those with legacy components—remain attractive targets. The best defense is a proactive, multi-layered strategy that includes employee training, robust email filtering, endpoint detection, and regular vulnerability assessments. By staying informed about the latest threats and regional trends, organizations can better protect their critical infrastructure from the next wave of attacks.