ACCORDING to Kaspersky ICS CERT, the share of ICS computers blocked for malicious objects in Q4 2025 was 19.7%, with regional rates ranging from 8.5% in Northern Europe to 27.3% in Africa. The report notes a notable activity in worms in email, driven by Backdoor.MSIL[.]XWorm, which spread in two waves in October and November, and was linked to phishing campaigns using the Curriculum Vitae-Catalina disguise.
It also records that four regions saw increases in threat blockers, with Southern Europe and South Asia highlighted for notable rises, while East Asia had previously spiked in Q3 2025. In terms of threat diversity, Kaspersky protection blocked malware from 10,142 different malware families on ICS, and there was an uptick in blocking worms and miners, the latter in executable Windows forms.
The analysis explains that the internet, email clients, and removable storage remain primary threat sources, and highlights that Backdoor.MSIL[.]XWorm was the most discussed worm across regions, including Africa where removable media activity remains high.