Worm Spreads via Email to Compromise Industrial Control Systems
Key Takeaways Industrial Control Systems (ICS) globally experienced a significant increase in email-borne worm attacks during Q4 2025, marking a critical shift in operational technology (OT) threats....
Key Takeaways
- Industrial Control Systems (ICS) globally experienced a significant increase in email-borne worm attacks during Q4 2025, marking a critical shift in operational technology (OT) threats.
- The surge was primarily driven by a new backdoor worm, Backdoor.MSIL.XWorm, which spread rapidly through phishing campaigns disguised as job applications.
- This malware grants attackers full remote control over compromised machines and was initially undetected due to sophisticated obfuscation techniques.
- Regions like Southern Europe, South America, and the Middle East saw the highest infection rates, while the oil and gas sector specifically noted an increase in blocked threats.
Global Surge in Email-Borne Worms Targets Industrial Control Systems
The final quarter of 2025 witnessed an unprecedented proliferation of email-borne worms infiltrating Industrial Control Systems (ICS) worldwide. This dramatic escalation represents one of the most concerning shifts in the threat landscape affecting operational technology (OT) environments in recent memory.
Table Of Content
This widespread infection was largely attributed to a single, stealthy piece of malware that propagated through malicious phishing emails, successfully reaching ICS networks across all global regions within a mere two months, according to a recent report.
Backdoor.MSIL.XWorm: A New Global Threat
Central to this escalating threat is Backdoor.MSIL.XWorm, a backdoor worm designed to establish persistent access and grant attackers comprehensive remote control over compromised systems. The sudden appearance of this malware is particularly alarming; it had no discernible presence on ICS computers in the preceding quarter but rapidly emerged across all global regions in Q4 2025, indicating a swift and effective global deployment.
During this period, the proportion of ICS computers where worms were detected and blocked surged by 1.6 times, reaching 1.60%. This sharp increase was almost entirely driven by the Backdoor.MSIL.XWorm campaign, as highlighted in the report. Analysts at Securelist specifically linked the rapid dissemination of Backdoor.MSIL.XWorm to a particular malware obfuscation technique extensively used in mass phishing efforts during Q4 2025.
The “Curriculum-vitae-catalina” Campaign
These campaigns, identified since 2024 as “Curriculum-vitae-catalina,” employed a deceptively simple yet highly effective social engineering tactic. Threat actors targeted HR managers, recruiters, and employees involved in hiring processes with emails impersonating job applications. These malicious messages typically used subject lines such as “Resume” or “Attached Resume” and contained an executable file, often named “Curriculum Vitae-Catalina.exe,” which, when opened, immediately infected the system. For more details, refer to the <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/14b547b5-0804-44de-9ffa-93ce51a1243a/Email-Borne-Worm-Surge-Drives-New-Threat-Wave-Across-Industrial-Control-Systems.pdf?AWSAccessKeyId=ASIA2F3EMEYE7UQM3OQW&Signature=ktVIFj%2FPqYoqBdpJTsfi4k1z%2BRo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBAaCXVzLWVhc3QtMSJIMEYCIQDiIvN4RDw0iSb7z7UN4t9pArUFtwWbw%2Bs2Wc5w6AtcXAIhAMNS7sqvwwwjzAUvUUIy%2BXAokvKfhVbVY1rjAXAAPYW4KvwECNn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgyPULJp0ZuC90iG%2FMYq0AQThWy92LUn9nY8FcbeFHCD8hQrU17reJm9d50KmHkJ7f3g6u9sFpkLNPkA9qD9LUwzsbX94e8%2FH6eC2Nu%2BMZ0bcJqu1RwoFSNAJhrZ7tmKWhc98QnTJPZOFm7XuZBWzeUrfQuti3G3RfidYZ8jP%2B%2BLh%2Bh1kAImM8%2FhNzcYV8TVqMk%2Bwl69VwuTqmXQFzkp0JxwlJc7aZ8dv9qYXA8f8HC%2BsiFFSibPhgxi7nIYZiN01VoDOIqYr08hgyaCyi0n8Ax%2FiT8%2BkrZTuqcFLp3Vwx1XOt9Ei8S%2BaSGKgFX9yz%
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.