Industrial Malware Trend Shifts in Q3 2025 Raise CISO Concerns

Executive Summary

Industrial automation systems continue to be a ripe target for cyberattacks, and the Q3 2025 threat landscape reflects a critical shift in attacker behavior. The latest industrial threat report by Kaspersky ICS CERT reveals regional surges, diversified malware families, and an alarming rise in phishing attacks against engineering and manufacturing sectors. For CISOs, the key takeaway from today's daily briefing: while overall infections fell marginally, the complexity and stealth of OT threat vectors are increasing.

This article breaks down the latest threat intelligence, analyzing key patterns in initial infections, infection sources, and malware propagation across OT networks. With email-borne spyware, script-based phishing, and rising regional variances, enterprise leaders must enhance visibility and hygiene in industrial control system (ICS) environments.

What Happened

According to Kaspersky’s Q3 2025 report on industrial threat activity, the percentage of ICS systems experiencing malware detections fell slightly—by 0.4 percentage points—to 20.1%. Although this represents a relative low, significant risk remains due to increased activity in specific regions and sectors:

• East Asia and Africa showed regional spikes, with rates as high as 27.4% due to intensified script-based attacks.
• The biometrics, engineering, and manufacturing industries saw the highest infection rates.
• Kaspersky detected 11,356 malware families, highlighting mounting threat diversity.
• Initial infection vectors included phishing emails, malicious web content, removable media, and network folder infections.
• Phishing and spyware attacks rose, particularly in campaigns exploiting known Microsoft Office vulnerabilities (e.g., CVE-2017-11882).
• Worm and virus activity propagating via internal OT systems increased modestly.
• AutoCAD malware infections showed a marginal uptick to 0.30%.

These trends underscore how attacks on industrial automation are increasingly stealthy, persistent, and tailored toward regional infrastructures.

Why This Matters for CISOs

CISOs tasked with securing OT environments must recognize that a static cybersecurity posture is no longer sufficient. While infection rates may fall quarter over quarter, the underlying risk profile is expanding:

• Threats are regionalized, exploiting local infrastructure behaviors.
• Threat categories are diversifying, pressuring detection strategies.
• Legacy vulnerabilities remain open doors for attackers armed with old-but-effective tactics.

Operational resilience hinges on harmonizing North-South (IT/OT) visibility, enhancing email defense layers, and integrating dynamic threat feeds into ICS monitoring. OT environments demand the same rigor in telemetry and response mechanisms as traditional IT networks—especially as threat actors blend entry methods with increasing precision.

Threat & Risk Analysis

Attack Vectors:

• Internet-based threats remain dominant, with malicious scripts, phishing pages, and denylisted URLs leading attack chains. Africa saw the highest web-based infection rate (10.31%).
• Email-borne threats (spyware, malicious scripts, and documents) surged due to password-protected file payloads. Southern Europe was hardest hit at 6.85%.
• Removable and shared media delivered low-volume but high-persistence infections via worms and viruses in ICS environments.

Exposure Scenarios:

• ICS integrators and engineering firms often lack network segmentation, enabling lateral movement post-compromise.
• Legacy Office applications remain unpatched in many industrial environments, making CVE-2017-11882 effective years after disclosure.

Supply Chain Relevance:

• Several attacks leveraged legitimate software tools (e.g., AutoCAD, MediaGet) to deliver malware, creating indirect supply chain risk.
• Engineering firms that serve multiple critical sectors propagate compromise risks downstream.

Attacker Motivations:

• Increased spyware use signals intent to extract credentials and IP, especially in high-value manufacturing and biometrics sectors.
• Ransomware, though low in volume per this report, remains primed for ICS disruption due to its ability to paralyze production environments.

Enterprise Impact:

• Operational delays and downtime from worm infections.
• Loss of IP and user credentials through phishing.
• Compliance risks from breaches, particularly under NIS2 and sector-specific ICS mandates.

To better align with threat trends discussed here, CISOs should reference our daily cyber threat briefings for evolving intelligence and our comprehensive patch management strategy to stay ahead of legacy exploit risks.

MITRE ATT&CK Mapping

• T1193 — Spearphishing Attachment
  Used for initial infection via Office documents exploiting CVE-2017-11882.

• T1204 — User Execution
  Phishing scripts and malicious documents require interaction via email or file open.

• T1059 — Command and Scripting Interpreter
  Malicious scripts used extensively across email and web vectors.

• T1082 — System Information Discovery
  Spyware retrieved detailed system info after infection.

• T1071 — Application Layer Protocol
  Use of cloud services and CDNs for C2 communication.

• T1105 — Ingress Tool Transfer
  Transfer of spyware as secondary payload through encrypted archives.

• T1027 — Obfuscated Files or Information
  Multi-layered scripts in phishing emails and archived payloads.

Key Implications for Enterprise Security

• ICS infrastructure is increasingly vulnerable to old-but-effective email exploits.
• Even with slight decreases in global infection rates, regional spikes represent dangerous operational volatility.
• Malware is now often delivered through legitimate tools, complicating detection.
• Monitoring removable media remains essential, especially in air-gapped environments.
• Growing malware family diversity demands continuous threat behavior analysis, not just signature-based detection.

Recommended Defenses & Actions

Immediate (0–24h)

• Block denylisted URLs and IPs via updated threat feeds across ICS/IT gateways.
• Audit email filters for effectiveness against password-protected and macro-based documents.
• Alert on downloads/execution from torrent clients or unauthorized utilities (e.g., MediaGet).

Short Term (1–7 days)

• Patch Microsoft Office environments vulnerable to CVE-2017-11882.
• Isolate ICS from IT zones where feasible; implement stricter USB controls.
• Add profile threat tradecraft from Kaspersky and diversify sources of threat telemetry.

Strategic (30 days)

• Deploy segmented monitoring of OT environments with DPI and anomaly detection.
• Collaborate with third-party vendors to assess industrial tool chain vulnerabilities like AutoCAD toolsets.
• Train engineers and OT personnel on evolving phishing lures, localized to their region/language.

Conclusion

The Q3 2025 industrial threat report reveals a cyber landscape that’s becoming more evasive and regionally tuned. Although infection rates may appear to decline, the rise in precision attacks—especially against East Asian and African infrastructures—should focus CISO attention on architectural resilience, legacy vulnerability management, and behavior-based detection methods.

To keep up with such evolving threats, subscribing to daily briefing updates and maintaining real-time ICS monitoring are no longer optional—they are foundational to cyber and operational resilience.