Full Report
In South America, the percentage of ICS computers on which malicious scripts and phishing pages, and worms were blocked significantly increased. The review of key cybersecurity issues in the regions.
Analysis Summary
# Morning News Roll-up 2026-04-29
## Overview
This report focuses on the escalating cyber threat landscape targeting Industrial Control Systems (ICS) in South and North America (specifically Canada) during Q4 2025. Key findings indicate a significant surge in malicious scripts, phishing, and worm-based attacks within the South American industrial sector.
## Top Stories
### ICS Threat Landscape: South and North America Q4 2025
- Summary: In South America, the percentage of ICS computers facing threats from malicious scripts and phishing pages significantly increased throughout the final quarter of 2025. The report highlights a regional trend where worms and automated malware targeting industrial automation systems have seen a marked uptick, posing risks to critical infrastructure stability and data integrity.
- Source: hxxps://ics-cert[.]kaspersky[.]com/publications/reports/2026/04/29/threat-landscape-for-industrial-automation-systems-south-and-north-america-canada-q4-2025/
---
# Main Topic
Increased Cyber Threats to Industrial Automation Systems in South and North America (Q4 2025)
## Key Points
- **Rising Threat Percentages:** South America experienced a notable increase in the percentage of ICS computers where malicious scripts, phishing pages, and worms were blocked.
- **Regional Disparity:** While South America saw an increase in volume and variety of attacks, North America (focused on Canada) showed distinct patterns in targeted automation system threats.
- **Worm Proliferation:** There is a specific resurgence in worm-based threats designed to propagate through industrial networks, potentially exploiting internal vulnerabilities after an initial breach via phishing.
- **Trend Analysis:** The data suggests that industrial organizations in these regions are being increasingly targeted by both opportunistic and potentially targeted campaigns involving web-based threats.
## Threat Actors
- **Cyber-opportunists:** Groups utilizing automated scripts and phishing kits to gain initial access to industrial networks.
- **Worm Developers:** Actors focusing on self-propagating malware to maximize footprint within isolated industrial environments.
- **Attribution:** While specific group names were not explicitly detailed in the summary, the activities align with financially motivated actors and those conducting industrial reconnaissance.
## TTPs
- **Phishing and Web-based Attacks:** Use of malicious scripts and localized phishing pages to harvest credentials or deliver payloads to ICS operators.
- **Self-Propagating Worms:** Employment of malware that spreads via network shares and removable media to bypass the "air-gap" or segmentations in industrial environments (T1091).
- **Automated Scripting:** Use of malicious JS/VBS scripts on compromised websites to execute code on visiting ICS workstations.
- **MITRE ATT&CK References:**
- Phishing (T1566)
- Replication Through Removable Media (T1091)
- Client-side Execution (T1203)
## Affected Systems
- **ICS Computers:** Workstations used for human-machine interface (HMI), engineering stations, and SCADA servers.
- **Industrial Automation Platforms:** Various proprietary systems used for monitoring and controlling physical processes.
- **Geographic Scope:** Primarily industrial facilities in South America and Canada.
## Mitigations
- **Network Segmentation:** Ensure clear isolation between corporate IT networks and industrial OT networks to prevent worm propagation.
- **Endpoint Protection:** Deploy specialized ICS security solutions capable of detecting malicious scripts and blocking phishing attempts at the browser level.
- **Removable Media Control:** Implement strict policies and technical controls (e.g., USB port blocking/scanning) to mitigate worm movement.
- **Security Awareness Training:** Train industrial personnel to recognize regional-specific phishing tactics and social engineering.
- **Regular Audits:** Conduct vulnerability assessments specifically for ICS-integrated web components and automation software.
## Conclusion
The Q4 2025 landscape for South and North American industrial systems indicates a deteriorating security environment, particularly regarding web-delivered threats and self-propagating malware. Organizations operating ICS should prioritize the hardening of engineering workstations and improve the detection of lateral movement to prevent automated threats from disrupting critical industrial processes.