Declining Threats to Industrial Automation Systems in Q4 2025

Severity: Low (Score: 39.9)

Sources: ics-cert.kaspersky.com, Securelist

Summary

In Q4 2025, the percentage of Industrial Control Systems (ICS) computers with blocked malicious objects fell to 19.7%, the lowest since 2022. This decline has been consistent since 2024, with regional variations ranging from 8.5% in Northern Europe to 27.3% in Africa. Notably, Southern Europe and South Asia saw increases in blocked threats, particularly from email clients. The worm Backdoor.MSIL.XWorm, linked to phishing campaigns targeting HR professionals, was identified but not detected on ICS computers. The attacks occurred in two waves, with significant activity in October and November 2025. The primary attack vector remains the internet, with malicious scripts and phishing pages being the most common threats. The overall trend indicates a decrease in infections from removable media and email threats, although some regions still experience high rates of infection. The situation reflects ongoing challenges in securing OT networks against evolving threats. Key Points: • ICS computers with blocked malicious objects dropped to 19.7% in Q4 2025. • Backdoor.MSIL.XWorm was linked to phishing campaigns targeting HR managers. • Southern Europe and South Asia saw increases in blocked threats from email clients.

Key Entities

• Data Exfiltration (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• Ransomware (attack_type)
• Worm (attack_type)
• Curriculum-vitae-catalina (campaign)
• Canada (country)
• Russia (country)
• Oil and Gas (industry)
• AutoCAD Malware (malware)
• Backdoor.MSIL.XWorm (malware)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• Windows (platform)