Statistics across all threats

In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased by 1.4 pp from the previous quarter to 20.5%.

Compared to Q2 2024, the rate decreased by 3.0 pp.

Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 11.2% in Northern Europe to 27.8% in Africa.

In most of the regions surveyed in this report, the figures decreased from the previous quarter. They increased only in Australia and New Zealand, as well as Northern Europe.

Selected industries

The biometrics sector led the ranking of the industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.

In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased across all industries.

Diversity of detected malicious objects

In Q2 2025, Kaspersky security solutions blocked malware from 10,408 different malware families from various categories on industrial automation systems.

The only increases were in the percentages of ICS computers on which denylisted internet resources (1.2 times more than in the previous quarter) and malicious documents (1.1 times more) were blocked.

Main threat sources

Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).

The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.

In Q2 2025, the percentage of ICS computers on which threats from email clients were blocked continued to increase. The main categories of threats from email clients blocked on ICS computers are malicious documents, spyware, malicious scripts and phishing pages. The indicator increased in all regions except Russia. By contrast, the global average for other threat sources decreased. Moreover, the rates reached their lowest levels since Q2 2022.

The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked exceeds the percentage of threats from the source itself.

The rates for all threat sources varied across the monitored regions.

• The percentage of ICS computers on which threats from the internet were blocked ranged from 6.35% in East Asia to 11.88% in Africa
• The percentage of ICS computers on which threats from email clients were blocked ranged from 0.80% in Russia to 7.23% in Southern Europe
• The percentage of ICS computers on which threats from removable media were blocked ranged from 0.04% in Australia and New Zealand to 1.77% in Africa
• The percentage of ICS computers on which threats from network folders were blocked ranged from 0.01% in Northern Europe to 0.25% in East Asia

Threat categories

A typical attack blocked within an OT network is a multi-stage process, where each subsequent step by the attackers is aimed at increasing privileges and gaining access to other systems by exploiting the security problems of industrial enterprises, including technological infrastructures.

It is worth noting that during the attack, intruders often repeat the same steps (TTPs), especially when they use malicious scripts and established communication channels with the management and control infrastructure (C2) to move laterally within the network and advance the attack.

Malicious objects used for initial infection

In Q2 2025, the percentage of ICS computers on which denylisted internet resources were blocked increased to 5.91%.

The percentage of ICS computers on which denylisted internet resources were blocked ranged from 3.28% in East Asia to 6.98% in Africa. Russia and Eastern Europe were also among the top three regions for this indicator. It increased in all regions and this growth is associated with the addition of direct links to malicious code hosted on popular public websites and file-sharing services.

The percentage of ICS computers on which malicious documents were blocked has grown for two consecutive quarters. The rate reached 1.97% (up 0.12 pp) and returned to the level seen in Q3 2024. The percentage increased in all regions except Latin America.
The percentage of ICS computers on which malicious scripts and phishing pages were blocked decreased to 6.49% (down 0.67 pp).

Next-stage malware

Malicious objects used to initially infect computers deliver next-stage malware (spyware, ransomware, and miners) to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.

In Q2 2025, the percentage of ICS computers on which malicious objects from all categories were blocked decreased. The rates are:

• Spyware: 3.84% (down 0.36 pp);
• Ransomware: 0.14% (down 0.02 pp);
• Miners in the form of executable files for Windows: 0.63% (down 0.15 pp);
• Web miners: 0.30% (down 0.23 pp), its lowest level since Q2 2022.

Self-propagating malware

Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software such as Radmin2.

In Q2 2025, the percentage of ICS computers on which worms and viruses were blocked decreased to 1.22% (down 0.09 pp) and 1.29% (down 0.24 pp). Both are the lowest values since Q2 2022.

AutoCAD malware

This category of malware can spread in a variety of ways, so it does not belong to a specific group.

In Q2 2025, the percentage of ICS computers on which AutoCAD malware was blocked continued to decrease to 0.29% (down 0.05 pp) and reached its lowest level since Q2 2022.

For more information on industrial threats see the full version of the report.

Modern vehicles are transforming into full-fledged digital devices that offer a multitude of features, from common smartphone-like conveniences to complex intelligent systems and services designed to keep everyone on the road safe. However, this digitalization, while aimed at improving comfort and safety, is simultaneously expanding the vehicle’s attack surface.

In simple terms, a modern vehicle is a collection of computers networked together. If a malicious actor gains remote control of a vehicle, they could be able not only steal user data but also create a dangerous situation on the road. While intentional attacks targeting a vehicle’s functional safety have not become a widespread reality yet, that does not mean the situation will not change in the foreseeable future.

The digital evolution of the automobile

The modern vehicle is a relatively recent invention. While digital systems like the electronic control unit and onboard computer began appearing in vehicles back in the 1970s, they did not become standard until the 1990s. This technological advancement led to a proliferation of narrowly specialized electronic devices, each with a specific task, such as measuring wheel speed, controlling headlight modes, or monitoring door status. As the number of sensors and controllers grew, local automotive networks based on LIN and CAN buses were introduced to synchronize and coordinate them. Fast forward about 35 years, and modern vehicle is a complex technical device with extensive remote communication capabilities that include support for 5G, V2I, V2V, Wi-Fi, Bluetooth, GPS, and RDS.

Components like the head unit and telecommunication unit are standard entry points into the vehicle’s internal infrastructure, which makes them frequent objects for security research.

From a functional and architectural standpoint, we can categorize vehicles into three groups. The lines between these categories are blurred, as many vehicles could fit into more than one, depending on their features.

Obsolete vehicles do not support remote interaction with external information systems (other than diagnostic tools) via digital channels and have a simple internal architecture. These vehicles are often retrofitted with modern head units, but those components are typically isolated within a closed information environment because they are integrated into an older architecture. This means that even if an attacker successfully compromises one of these components, they cannot pivot to other parts of the vehicle.

Legacy vehicles are a sort of transitional phase. Unlike simpler vehicles from the past, they are equipped with a telematics unit, which is primarily used for data collection rather than remote control – though two-way communication is not impossible. They also feature a head unit with more extensive functionality, which allows changing settings and controlling systems. The internal architecture of these vehicles is predominantly digital, with intelligent driver assistance systems. The numerous electronic control units are connected in an information network that either has flat structure or is only partially segmented into security domains. The stock head unit in these vehicles is often replaced with a modern unit from a third-party vendor. From a cybersecurity perspective, legacy vehicles represent the most complex problem. Serious physical consequences, including life-threatening situations, can easily result from cyberattacks on these vehicles. This was made clear 10 years ago when Charlie Miller and Chris Valasek conducted their famous remote Jeep Cherokee hack.

Modern vehicles have a fundamentally different architecture. The network of electronic control units is now divided into security domains with the help of a firewall, which is typically integrated within a central gateway. The advent of native two-way communication channels with the manufacturer’s cloud infrastructure and increased system connectivity has fundamentally altered the attack surface. However, many automakers learned from the Jeep Cherokee research. They have since refined their network architecture, segmenting it with the help of a central gateway, configuring traffic filtering, and thus isolating critical systems from the components most susceptible to attacks, such as the head unit and the telecommunication module. This has significantly complicated the task of compromising functional safety through a cyberattack.

Possible future threat landscape

Modern vehicle architectures make it difficult to execute the most dangerous attacks, such as remotely deploying airbags at high speeds. However, it is often easier to block the engine from starting, lock doors, or access confidential data, as these functions are frequently accessible through the vendor’s cloud infrastructure. These and other automotive cybersecurity challenges are prompting automakers to engage specialized teams for realistic penetration testing. The results of these vehicle security assessments, which are often publicly disclosed, highlight an emerging trend.

Despite this, cyberattacks on modern vehicles have not become commonplace yet. This is due to the lack of malware specifically designed for this purpose and the absence of viable monetization strategies. Consequently, the barrier to entry for potential attackers is high. The scalability of these attacks is also poor, which means the guaranteed return on investment is low, while the risks of getting caught are very high.

However, this situation is slowly but surely changing. As vehicles become more like gadgets built on common technologies – including Linux and Android operating systems, open-source code, and common third-party components – they become vulnerable to traditional attacks. The integration of wireless communication technologies increases the risk of unauthorized remote control. Specialized tools like software-defined radio (SDR), as well as instructions for exploiting wireless networks (Wi-Fi, GSM, LTE, and Bluetooth) are becoming widely available. These factors, along with the potential decline in the profitability of traditional targets (for example, if victims stop paying ransoms), could lead attackers to pivot toward vehicles.

Which vehicles are at risk

Will attacks on vehicles become the logical evolution of attacks on classic IT systems? While attacks on remotely accessible head units, telecommunication modules, cloud services or mobile apps for extortion or data theft are technically more realistic, they require significant investment, tool development, and risk management. Success is not guaranteed to result in a ransom payment, so individual cars remain an unattractive target for now.

The real risk lies with fleet vehicles, such as those used by taxi and carsharing services, logistics companies, and government organizations. These vehicles are often equipped with aftermarket telematics and other standardized third-party hardware that typically has a lower security posture than factory-installed systems. They are also often integrated into the vehicle’s infrastructure in a less-than-secure way. Attacks on these systems could be highly scalable and pose significant financial and reputational threats to large fleet owners.

Another category of potential targets is represented by trucks, specialized machinery, and public transit vehicles, which are also equipped with aftermarket telematics systems. Architecturally, they are similar to passenger cars, which means they have similar security vulnerabilities. The potential damage from an attack on these vehicles can be severe, with just one day of downtime for a haul truck potentially resulting in hundreds of thousands of dollars in losses.

Investing in a secure future

Improving the current situation requires investment in automotive cybersecurity at every level, from the individual user to the government regulator. The driving forces behind this are consumers’ concern for their own safety and the government’s concern for the security of its citizens and national infrastructure.

Automotive cybersecurity is already a focus for researchers, cybersecurity service providers, government regulators, and major car manufacturers. Many automotive manufacturing corporations have established their own product security or product CERT teams, implemented processes for responding to new vulnerability reports, and made penetration testing a mandatory part of the development cycle. They have also begun to leverage cyberthreat intelligence and are adopting secure development methodologies and security by design. This is a growing trend, and this approach is expected to become standard practice for most automakers 10 years from now.

Simultaneously, specialized security operations centers (SOCs) for vehicles are being established. The underlying approach is remote data collection from vehicles for subsequent analysis of cybersecurity events. In theory, this data can be used to identify cyberattacks on cars’ systems and build a database of threat information. The industry is actively moving toward deploying these centers.

For more on trends in automotive security, read our article on the Kaspersky ICS CERT website.