Worm‑In‑Email Campaign Targets Industrial Automation Systems, Q4 2025
What Happened – Kaspersky’s Q4 2025 Industrial Control Systems (ICS) report shows a sharp rise in email‑borne worms, notably Backdoor.MSIL.XWorm, spreading via phishing messages that masquerade as résumé attachments. The malware persisted on compromised workstations and provided remote control to attackers, affecting 19.7 % of surveyed ICS endpoints worldwide.
Why It Matters for TPRM –
- Email‑borne malware can compromise third‑party vendors that manage or maintain industrial automation equipment.
- Remote‑control capabilities enable lateral movement into production networks, increasing supply‑chain risk.
- The global spread across multiple regions highlights a coordinated campaign that may target multinational suppliers.
Who Is Affected – Manufacturing & industrial automation firms, engineering service providers, and any third‑party vendors with access to plant floor PCs or HR/recruiting portals.
Recommended Actions –
- Verify that all third‑party vendors enforce strict email security controls (attachment sandboxing, URL filtering).
- Require vendors to implement multi‑factor authentication and least‑privilege for accounts handling HR‑related communications.
- Conduct a review of remote‑access tools and ensure they are hardened against unauthorized use.
Technical Notes – The campaign leveraged phishing emails to HR staff, delivering a malicious executable named Curriculum Vitae‑Catalina.exe. Once executed, Backdoor.MSIL.XWorm established persistence and remote command‑and‑control channels. No specific CVE is cited; the threat vector is phishing‑based malware distribution. Source: SecureList – Industrial Threat Report Q4 2025