Why ICS Cyber Alerts Are Falling Even as Threats Get Harder to Detect

Easy-to-detect threats are declining, while more targeted, under-the-radar attacks are increasing.
Defensive systems are filtering better—but not catching everything.
Threat detection ranges widely—from 8.5% in Northern Europe to 27.3% in Africa—highlighting gaps in infrastructure and security maturity.

One assumption about cyberattacks is that more attacks equal more alerts. But the previous quarter's data tells a very different story. According to a report from Kaspersky in Q4 2025, just 19.7% of industrial control system (ICS) computers blocked malicious objects, continuing a steady decline that began in early 2024.

Over three years, that figure has dropped by 1.36 times and by 1.25 times since Q4 2023. This is the case because easy-to-detect threats are declining, with attacks being more under the radar and precise while defense systems are getting better at filtering low-level threats.

It sounds like progress, but that may not be the case.

ICS environments, the systems that run factories, energy grids, and critical infrastructure, aren't seeing fewer threats. Instead, the drop-in blocked activity suggests a shift in how attacks are delivered or detected. So that begs the question: are systems getting safer or are threats? getting smarter?

The trend holds across most regions, but not evenly. In Q4 2025, the share of ICS machines blocking threats ranged from 8.5% in Northern Europe to 27.3% in Africa. Some regions, including Southern Europe and South Asia saw increases while east Asia experienced a sharp spike in Q3 due to a local surge in malicious scripts, before returning to normal levels in Q4.

MORE INSIGHTS ON THIS TOPIC:

Then Came the Email Worms

One category stood out sharply: worms.

The percentage of ICS computers blocking worms increased by 1.6 times globally. This rise ties directly back to the XWorm campaign and its email-based spread. Southern Europe saw the largest jump, though, with a 2.16 times increase.

At the same time, traditional viruses declined to 1.33%. A malware strain known as Backdoor.MSIL.XWorm appeared suddenly and spread across every region. It’s designed to persist on infected systems and allow remote control. What stands out is how it spread.

Attackers sent phishing emails disguised as job applications, targeting HR teams and recruiters. Subject lines were simple, “Resume” or “Attached Resume,” and the attachment looked like a CV. In reality, it was an executable file, often named “Curriculum Vitae-Catalina.exe.” Once opened, the system was infected.

This campaign, known since 2024 as “Curriculum-vitae-catalina,” unfolded in waves. In October, attacks hit Russia, Western Europe, South America, and Canada. By November, the spread had gone global. But by December, activity had declined.

The pattern shows coordination, not randomness.

How Attacks Are Getting In

Despite the drop in overall detections, the main entry points remain familiar. The internet, email, and removable devices still dominate, but their roles are shifting.

Internet-based threats fell to 7.67%, the lowest since early 2023. Email threats, however, remained a consistent delivery channel, particularly for phishing, spyware, and malicious documents. In regions like Southern Europe, email-based attacks reached as high as 6.34%.

In Africa, removable media continues to play a role, with 1.41% of ICS computers encountering threats through USB devices. This reflects infrastructure realities where offline transfers are still common.

The takeaway here is that attackers aren’t relying on one method. They’re adjusting based on environment.

What Happens After Infection

Initial access is only part of the story. Once inside, attackers deploy secondary payloads.

In Q4 2025, spyware remained the most common follow-up threat, affecting 3.80% of ICS systems. Ransomware stayed relatively low at 0.16%, while web miners dropped to 0.24%, their lowest level yet. One category moved in the opposite direction and that’s executable miners, which rose slightly to 0.60%.

The link is consistent—when initial infection drops, so do these secondary threats.

But some industries remain more exposed than others. The biometrics sector continues to rank highest, largely due to internet accessibility and weaker internal controls. In Q4, only one sector, oil and gas, recorded an increase in blocked threats, particularly in regions like Russia and Central Asia.

Over a longer period, though, even these sectors show the same downward trend. Security systems detected malware from 10,142 different families in Q4 2025. That number alone shows the scale of variation. Yet only two categories, worms and executable miners, showed growth.

Everything else declined.

The numbers point to a shift rather than a slowdown. Fewer blocked threats suggest either improved defences or attacks that are harder to detect. Campaigns like XWorm lean toward the latter, targeted, well-timed, and designed to blend into routine workflows like hiring. The result is a less noisy threat landscape, but not a safer one.