A significant surge in email-borne worms targeting industrial control systems (ICS) during the fourth quarter of 2025 has introduced a new wave of threats to operational technology (OT) environments globally. This escalation is primarily attributed to a single piece of malware, Backdoor.MSIL.XWorm, which spread rapidly via phishing emails. The malicious campaign, absent in the preceding quarter, established a presence across all operational regions within two months, disrupting typical security trends in ICS networks.
According to Securelist analysis, the overall percentage of ICS computers where worms were blocked increased by 1.6 times, reaching 1.60%. This sharp rise was almost entirely due to this single, widespread threat. The malware’s stealthy advancement through sophisticated obfuscation techniques highlights the evolving tactics of cybercriminals targeting critical infrastructure. The implications for industrial cybersecurity are substantial, demanding immediate attention from security professionals overseeing these sensitive systems.
Email-Borne Worm Surge Drives New Threat Wave Across Industrial Control Systems
The widespread dissemination of Backdoor.MSIL.XWorm, a backdoor worm designed to grant attackers full remote control over compromised machines, marked a critical development in Q4 2025. Its sudden emergence and global reach from a null presence in Q3 underscore the dynamic nature of cyber threats. The sheer speed and scope of its spread across diverse geographical regions and industrial sectors highlight a significant vulnerability within current ICS security postures.
The “Curriculum-vitae-catalina” phishing campaigns, active since 2024, were identified as the primary vector for this worm. These campaigns masterfully mimicked legitimate job application submissions. Threat actors targeted HR managers and recruiters with emails containing subject lines like “Resume” or “Attached Resume.” The malicious payload was disguised as a curriculum vitae, typically named “Curriculum Vitae-Catalina.exe,” which would infect a system upon opening.
The infection did not occur instantaneously but unfolded in two distinct waves. The initial wave in October affected systems in Russia, Western Europe, South America, and North America, with a notable impact on Canada. A secondary spike in November expanded the worm’s reach to additional regions before the campaign activity waned in December. Southern Europe, South America, and the Middle East experienced the highest infection rates, areas historically susceptible to email-based threats in their ICS environments.
In Africa, the threat exploited an alternative propagation method, utilizing removable storage devices, illustrating the adaptable nature of this malware campaign. Regionally, the percentage of ICS computers encountering blocked malicious objects varied significantly, ranging from 8.5% in Northern Europe to 27.3% in Africa during Q4 2025. This disparity underscores the uneven distribution of cybersecurity risks across the globe.
The oil and gas sector was singled out as the only industry to record an increase in blocked threats during this quarter, particularly in Russia and Central Asia. While a multi-year trend has shown a gradual decline in threats across most industries, the Q4 2025 worm-driven spike served as a stark reminder of email’s persistent efficacy as an entry point into the most critical industrial environments.
Inside the Infection Mechanism
Backdoor.MSIL.XWorm’s operational methodology reflects a calculated strategy for protracted access to industrial networks. Upon execution of the deceptive resume file, the malware operates covertly, establishing system persistence that ensures its survival through reboots and routine maintenance. Subsequently, it creates a remote access channel, enabling attackers to monitor activities, navigate the network, and potentially disrupt sensitive operational technology processes.
The obfuscation techniques employed in the “Curriculum-vitae-catalina” campaigns were instrumental in allowing the worm to bypass conventional detection tools. By layering scripts and encoding payloads, the malware concealed its true malicious behavior, explaining its undetected presence in Q3 2025 and subsequent dramatic surge in Q4. Southern Europe experienced the most significant increase, with worm-blocking activity rising by 2.16 times, largely due to the region’s pre-existing high incidence of email-sourced threats within ICS environments.
Security teams responsible for ICS or OT environments should adopt a stringent approach to all unsolicited emails containing executable attachments, regardless of their apparent sender. Organizations are strongly advised to implement robust email filtering policies that proactively block executable attachments before they can reach end-users and potentially infiltrate the network.
Specialized training for employees in HR roles and those with access to OT-adjacent systems is crucial to enhance their ability to identify sophisticated phishing attempts disguised as hiring communications. Furthermore, policies governing the use of removable media require strengthening, especially in regions such as Africa, where USB-based infections proved to be an active vector during this campaign. Maintaining up-to-date ICS endpoints and deploying behavior-based detection tools are paramount for identifying threats like XWorm, which are engineered to evade traditional signature-based defenses.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
