Email Worm Surge Poses New Threat to Industrial Control

Industrial control systems (ICS) experienced a global wave of email-borne worms during the fourth quarter of 2025. This surge marks one of the most concerning threat shifts observed across operational technology (OT) environments in recent years.

The surge was largely tied to a single piece of malware that silently spread through phishing emails, reaching ICS networks in every region of the world within just two months.

At the center of this threat wave is a backdoor worm known as Backdoor.MSIL.XWorm, a malware built to settle into infected systems and hand attackers full remote control over compromised machines.

What makes this outbreak particularly alarming is that this threat had no presence on ICS computers in the previous quarter, yet it appeared across all global regions in Q4 2025, representing a sudden and widespread jump.

The overall percentage of ICS computers on which worms were blocked rose by 1.6 times to 1.60% during this period, a sharp uptick driven almost entirely by this single campaign.

Securelist analysts identified that the active spread of Backdoor.MSIL.XWorm through phishing emails was closely tied to a specific malware obfuscation technique that threat actors used heavily during mass phishing campaigns throughout Q4 2025.

These campaigns, known since 2024 under the name “Curriculum-vitae-catalina,” relied on a deceptively simple but effective trick.

Attackers sent emails to HR managers, recruiters, and employees involved in hiring decisions, disguising malicious messages as job applications with subject lines such as “Resume” or “Attached Resume.”

The emails carried a malicious executable file presented as a curriculum vitae, typically named Curriculum Vitae-Catalina.exe, which infected the system the moment it was opened.

The infection did not unfold all at once. In Q4 2025, the threat rolled out in two distinct waves. The first hit in October, targeting Russia, Western Europe, South America, and North America, specifically Canada.

A second spike followed in November, spreading to additional regions before the campaign finally slowed in December.

The highest infection rates were recorded in Southern Europe, South America, and the Middle East, which are regions where ICS computers have historically faced elevated risks from email-based threats.

In Africa, the worm also found a different path in through removable storage devices, reflecting how diverse the spread vectors became.

Regionally, the percentage of ICS computers with blocked malicious objects ranged from 8.5% in Northern Europe to 27.3% in Africa in Q4 2025, showing just how wide the gap in exposure levels remains across the globe.

The oil and gas sector stood out as the only industry to see an increase in blocked threats during this period, particularly in Russia and Central Asia.

While the broader trend across all surveyed industries has been a gradual decline over multiple years, the worm-driven spike in Q4 2025 served as a clear reminder that email remains a powerful entry point into even the most sensitive industrial environments.

Inside the Infection Mechanism

The way Backdoor.MSIL.XWorm operates reveals a calculated approach to gaining and holding access inside industrial networks.

When a target opens the fake resume file, the malware quietly executes in the background, establishing persistence on the system so it survives reboots and routine maintenance.

From that point, it opens a channel for remote control, allowing attackers to monitor activity, move through the network, and potentially interfere with operational technology processes.

The obfuscation techniques used during the “Curriculum-vitae-catalina” campaigns helped the worm slip past standard detection tools by disguising its true behavior inside layered scripts and encoded payloads.

This is why the malware went undetected on ICS computers in Q3 2025, only to surge dramatically the very next quarter.

Southern Europe recorded the steepest increase, with worm-blocking activity rising by 2.16 times, largely because that region already had the highest rate of email-sourced threats among ICS environments globally.

Security teams managing ICS or OT environments should treat any unsolicited email with an executable attachment as a serious risk, even when those emails appear to come from genuine job seekers.

Organizations are advised to enforce strict email filtering policies that block executable attachments before they reach end users.

Employees in HR roles and anyone with access to OT-adjacent systems should receive focused training on identifying phishing attempts that mimic hiring communications.

Removable media policies should also be tightened, particularly in regions like Africa where USB-based infection proved to be an active vector during this campaign.

Keeping ICS endpoints updated and running behavior-based detection tools is essential to catching threats like XWorm that are specifically designed to evade signature-based defenses.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.