Email-Borne Worms Escalate Threats to Industrial Control Systems
In the final quarter of 2025, industrial control systems (ICS) worldwide faced an unprecedented surge in email-borne worm attacks. This alarming trend was primarily driven by a single malware variant, Backdoor.MSIL.XWorm, which rapidly infiltrated ICS networks across all global regions within a mere two months.
Backdoor.MSIL.XWorm is a sophisticated backdoor worm designed to establish a foothold in infected systems, granting attackers full remote control over compromised machines. Notably, this malware had no recorded presence on ICS computers in the preceding quarter. However, by Q4 2025, it had proliferated extensively, leading to a 1.6-fold increase in the percentage of ICS computers where worms were detected, reaching a peak of 1.60%.
The rapid dissemination of Backdoor.MSIL.XWorm was closely linked to mass phishing campaigns that employed advanced obfuscation techniques. These campaigns, active since 2024 and dubbed Curriculum-vitae-catalina, targeted HR managers, recruiters, and personnel involved in hiring processes. Attackers dispatched emails masquerading as job applications, with subject lines like Resume or Attached Resume. These emails contained malicious executable files disguised as curriculum vitae documents, typically named Curriculum Vitae-Catalina.exe. Upon opening, these files initiated the infection process.
The infection unfolded in two distinct waves during Q4 2025. The first wave in October targeted regions including Russia, Western Europe, South America, and Canada. A subsequent surge in November expanded the reach to additional areas before the campaign subsided in December. Regions such as Southern Europe, South America, and the Middle East experienced the highest infection rates, reflecting the varied susceptibility of ICS computers to email-based threats. In Africa, the worm also exploited removable storage devices as a vector, showcasing the malware’s adaptability.
The percentage of ICS computers with blocked malicious objects varied significantly across regions, from 8.5% in Northern Europe to 27.3% in Africa during Q4 2025. The oil and gas sector was particularly affected, especially in Russia and Central Asia, marking it as the only industry to witness an increase in blocked threats during this period. This surge underscores the persistent vulnerability of industrial environments to email-based attacks.
Infection Mechanism:
Backdoor.MSIL.XWorm employs a calculated approach to infiltrate and maintain access within industrial networks. When a recipient opens the deceptive resume file, the malware executes silently in the background, establishing persistence to withstand system reboots and routine maintenance. It then opens a channel for remote control, enabling attackers to monitor activities, navigate the network, and potentially disrupt operational technology processes.
The obfuscation techniques utilized in the Curriculum-vitae-catalina campaigns allowed the worm to evade standard detection tools by concealing its true behavior within layered scripts and encoded payloads. This stealthy approach facilitated the malware’s undetected spread across ICS networks.
