Malicious Scripts Targeting ICS Surge in East Asia, Kaspersky Reports
Kaspersky Q3 2025 Report Reveals Spike in Malicious Scripts and Phishing Targeting Industrial Control Systems in East Asia
Related Entities
Organizations
Products & Tech
Full Report
Executive Summary
A new report from Kaspersky ICS CERT, published December 24, 2025, details a concerning rise in threats to industrial automation systems in East Asia during the third quarter of 2025. The percentage of Industrial Control Systems (ICS) computers in the region that encountered malicious objects rose from 19.7% to 25.0%, moving East Asia from seventh to third in global rankings. The primary driver of this increase was a sharp spike in malicious scripts and phishing pages, a threat category that was blocked on East Asian ICS computers at a rate 1.4 times the worldwide average. Much of this activity was concentrated in Mainland China's engineering and ICS integrator sector.
Threat Overview
The Kaspersky report highlights a shift in the threat landscape for East Asian ICS environments. While threats from removable media and network shares are on a long-term decline, attacks delivered via the internet are surging.
- Primary Threat Vector: Malicious scripts and phishing pages have become the most prevalent threat. These are often delivered through phishing emails or malicious websites visited by engineers and operators.
- Key Target: The engineering and ICS integrator sector in Mainland China was identified as a hotspot. Attackers are targeting the individuals and companies that design, build, and maintain industrial systems, likely as a stepping stone to compromise the end-customer facilities.
- Delivery Mechanism: Researchers discovered malware designed for information stealing hidden within trojanized versions of peer-to-peer applications like Torrent and MediaGet clients. This suggests attackers are targeting the personal software usage of employees who have access to sensitive ICS environments.
Technical Analysis
The attack vector relies on tricking users into executing malicious code on workstations that have access to, or are part of, the industrial network.
T1204.002 - User Execution: Malicious File: Users are lured into downloading and running what they believe to be legitimate software (e.g., a Torrent client), which contains a hidden malicious payload.T1059.007 - Command and Scripting Interpreter: JavaScript: The surge in malicious scripts indicates attackers are heavily using web-based scripts (JavaScript, VBScript) to perform reconnaissance, download further payloads, or steal information directly from the browser.T1566 - Phishing: Phishing remains a primary initial access vector to deliver these malicious scripts and links to trojanized software.
Impact Assessment
The compromise of ICS environments can have severe consequences, ranging from production downtime to physical safety incidents.
- Information Theft: The identified malware was designed to steal system information, which can be used for reconnaissance to plan more sophisticated follow-on attacks.
- Loss of Control: If attackers successfully pivot from an engineering workstation to the process control network, they could manipulate or shut down industrial processes, causing significant financial loss and potential damage to equipment.
- Supply Chain Risk: Targeting ICS integrators creates a supply chain risk, where malware could potentially be embedded into the systems delivered to multiple downstream customers.
Detection & Response
Detecting these threats in an ICS environment requires monitoring both IT and OT networks.
- Application Control: Monitor for and alert on the installation or execution of unauthorized software on any machine with access to the ICS network, especially P2P clients, games, or other non-essential applications.
- Script Execution Monitoring: Use EDR solutions or command-line logging to monitor for suspicious script execution (e.g., PowerShell, JavaScript) on engineering workstations and HMIs.
- Network Traffic Analysis: Monitor network traffic for connections to known malicious domains or unusual outbound traffic from the ICS network, which could indicate data exfiltration or C2 communication. This aligns with D3-NTA: Network Traffic Analysis.
Mitigation
Protecting ICS environments requires a defense-in-depth strategy.
M1033 - Limit Software Installation: Implement strict application allowlisting on all ICS assets, including engineering workstations. This would prevent unauthorized software like the trojanized Torrent clients from ever running.M1030 - Network Segmentation: Enforce rigid segmentation between the IT and OT networks. Internet access from the control network should be heavily restricted or prohibited entirely. Engineers should not be able to browse the web or check personal email from a workstation used to program PLCs.M1017 - User Training: Provide targeted security awareness training for all personnel with access to the ICS network. This training should cover the risks of phishing and downloading unauthorized software.
Timeline of Events
MITRE ATT&CK Mitigations
Implement application allowlisting to prevent any unauthorized software, such as the trojanized P2P clients mentioned in the report, from being executed on sensitive ICS workstations.
Strictly segment the OT network from the corporate IT network and the internet to prevent web-based threats from reaching critical control systems.
User Training
Train engineers and operators on the risks of phishing and the importance of not installing personal or unauthorized software on company assets, especially those with access to the OT environment.
D3FEND Defensive Countermeasures
The most effective technical control to prevent threats like those described in the Kaspersky report is Executable Allowlisting. In sensitive ICS environments, the set of required software is typically static and well-defined. Security teams should create a 'golden image' for engineering workstations and HMIs that includes only approved and necessary applications. An allowlisting policy should then be strictly enforced, preventing any other executable, script, or installer from running. This would have directly prevented the trojanized Torrent and MediaGet clients from executing, regardless of how the user was tricked into downloading them. Implementing this requires a thorough inventory of required software and a robust change management process for updates, but it provides an extremely strong defense against malware execution.
To counter the rise of internet-borne threats to ICS, strong Network Isolation based on the Purdue Model is essential. The process control network (Levels 0-2) should be completely air-gapped from the internet or, at a minimum, strictly segregated from the corporate IT network via a properly configured DMZ. All traffic between the IT and OT networks must be explicitly permitted and inspected by a firewall. Direct internet access from any host within the OT network should be prohibited. For engineers who need to access external resources, a secure jump host or VDI solution within the IT network should be used, with data transfer to the OT side being a controlled and monitored process. This isolation breaks the attack chain described by Kaspersky, as it prevents engineers on OT workstations from browsing malicious websites or receiving phishing emails that could deliver malicious scripts.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats