In the fourth quarter of 2025, a global increase in email-transmitted worms significantly impacted industrial control systems (ICS), highlighting a major shift in threats to operational technology (OT) environments. This surge was driven by a single piece of malware, rapidly spreading across ICS networks worldwide through phishing emails within just two months.
Backdoor Malware’s Impact
The focal point of this threat was a backdoor worm named Backdoor.MSIL.XWorm. This malware infiltrates systems, granting attackers full remote control over compromised devices. The sudden appearance of this worm in Q4 2025, after being absent from ICS computers in the previous quarter, underscores its alarming nature as it rapidly permeated global regions.
During this period, the percentage of ICS computers blocking worms increased by 1.6 times to reach 1.60%, a spike primarily attributed to this campaign. Securelist analysts linked the spread of Backdoor.MSIL.XWorm to a specific obfuscation technique heavily utilized in mass phishing campaigns throughout Q4 2025.
Phishing Tactics and Regional Impact
Known since 2024 as “Curriculum-vitae-catalina,” these campaigns employed a straightforward yet effective tactic. Attackers sent emails disguised as job applications to HR managers and recruiters, using subject lines like “Resume” or “Attached Resume.” The emails contained malicious executable files masquerading as curriculum vitae, named Curriculum Vitae-Catalina.exe, which infected systems upon opening.
The infection unfolded in two distinct waves during Q4 2025. The first wave in October targeted Russia, Western Europe, South America, and North America, particularly Canada. A subsequent spike in November expanded to additional regions, with the highest infection rates in Southern Europe, South America, and the Middle East. In Africa, the worm spread through removable storage devices, showcasing diverse infection vectors.
Security Implications and Recommendations
Regionally, the percentage of ICS computers with blocked threats ranged from 8.5% in Northern Europe to 27.3% in Africa during Q4 2025, highlighting the varying exposure levels. The oil and gas industry, particularly in Russia and Central Asia, experienced an increase in blocked threats, contrasting with a broader decline in other sectors over recent years.
The operational mechanism of Backdoor.MSIL.XWorm reveals a calculated effort to maintain access within industrial networks. Once executed, the malware establishes persistence, enabling remote control and potential interference with OT processes. The obfuscation techniques used allowed it to evade detection in Q3 2025, leading to a significant upsurge the following quarter.
Security teams managing ICS or OT environments must treat unsolicited emails with executable attachments as high-risk, even when appearing legitimate. Implementing stringent email filtering policies and educating HR personnel on phishing identification are vital. Additionally, reinforcing removable media policies, particularly in regions like Africa, is crucial due to the active USB-based infection vector.
Maintaining updated ICS endpoints and employing behavior-based detection tools are essential to counter threats like XWorm, designed to bypass signature-based defenses. Stay informed by following our updates on Google News, LinkedIn, and X, and set CSN as a preferred source on Google for more insights.
