HPE Threat Labs Report Reveals Cyber Adversaries Are Morphing Their Business Model to Scale and Accelerate Attacks
- Cyber adversaries adopt business-like models to target every major sector, HPE finds
- Generative AI used to produce synthetic voices, images and videos for targeted impersonation fraud campaigns
- World-class network threat research expertise and experience brought together in new HPE Threat Labs
HPE (NYSE:HPE) today unveiled the results of its inaugural cyberthreat research report, In the Wild, showing a striking shift in how modern cyber adversaries operate at scale across global industries and critical public sectors. Based on HPE's analysis of live threat activity observed globally throughout 2025, the report shows that cybercrime has gone industrial, with attackers using automation and long-standing vulnerabilities to scale campaigns and repeatedly compromise high-value targets faster than defenders can respond. For enterprises, the ability to overcome these aggressive threat campaigns effectively and retain digital trust within their networks is a fundamental business priority.
The report shows a global cyber threat environment defined by scale, organization and speed. Based on the cyber analysis of 1,186 active threat campaigns observed worldwide between January 1 and December 31, 2025, the findings reveal a rapidly evolving adversary ecosystem defined by professionalism, automation and strategic targeting, with attackers using repeatable infrastructure and long-standing vulnerabilities to target high-value sectors with precision.
"In the Wild reflects the reality organizations face every day," said Mounir Hahad, Head of HPE Threat Labs, HPE. "Our research is grounded in real-world threat activity, not theoretical tests in controlled lab scenarios. It captures how attackers behave in active campaigns, how they adapt, and where they are finding success. These first-hand observations and insights help sharpen detection, strengthen defenses, and give customers a clearer view of the threats most likely to impact their data, infrastructure, and operations. That means stronger security, faster response, and greater resilience in the face of increasingly organized and persistent attacks."
Industrial-scale infrastructure fuels modern threat campaigns
As this inaugural report shows, HPE Threat Labs observed an increase in both the volume of attacks and the sophistication of adversary tactics and techniques. Threat actors, including nation-state-linked espionage groups and organized cybercrime operations, increasingly ran their operations like large enterprises, using hierarchical command structures, specialized teams, rapid coordination to deploy expansive and industrialized attack infrastructures, and a deep understanding of commonly used workforce applications and documents.
Government organizations were the most targeted sector globally, accounting for 274 campaigns spanning federal, state and municipal bodies. The finance and technology sectors followed closely, with 211 and 179 campaigns, respectively, reflecting attackers' sustained focus on high-value data and financial gain. Defense, manufacturing, telecommunications, healthcare and education organizations were also heavily targeted. Together, these findings underscore that attackers are strategically prioritizing sectors tied to national infrastructure, sensitive data and economic stability, but reinforce that no sector is immune.
Over the course of the year, threat actors deployed more than 147,000 malicious domains, nearly 58,000 malware files, and actively exploited 549 vulnerabilities. This professionalization of cybercrime makes attacks more predictable in execution, yet harder to disrupt, as dismantling one component of an operation rarely stops the broader campaign.
Automation and AI tools accelerate attacker speed and impact
Attackers also adopted new techniques to increase speed and impact. Some operations used automated "assembly line" workflows over platforms like Telegram to exfiltrate stolen data in real time. Others leveraged generative AI to produce synthetic voices and deepfake videos for targeted video-phishing (vishing) and executive impersonation fraud, while an extortion gang did market research on virtual private network (VPN) vulnerabilities to optimize its intrusion strategy.
These tactics allowed threat actors to move faster, reach more targets and concentrate efforts on sectors tied to national infrastructure, critical data and economic stability. By streamlining operations and prioritizing high-value targets, threat actors were able to pursue financial gain with greater efficiency by strategically "following the money."
Practical steps to strengthen cyber resilience
The report underscores that effective defense depends less on adding tools and more on improving coordination, visibility, and response across the network. Organizations can take the following steps to improve their security posture:
- Break down silos by sharing threat intelligence across corporate teams, customers, and industries, while using a secure access service edge (SASE) approach to unify networking and security and surface attack patterns earlier.
- Patch common entry points such as VPNs, SharePoint, and edge devices to reduce exposure and shut down frequently exploited paths into the network.
- Apply zero trust principles to strengthen authentication and limit lateral movement, with zero trust network access (ZTNA) continuously verifying users and devices before granting access.
- Improve visibility and response with threat intelligence, deception technologies, and AI-native detection, helping organizations detect, analyze, and respond to attacks with greater speed and accuracy.
- Extend security beyond the corporate perimeter to home networks, third-party tools, and supply chain environments.
Together, these steps can help organizations move faster, reduce risk, and better defend against increasingly organized and persistent threats.
Combined HPE Threat Labs raises the bar for network defense
Building upon long-standing expertise, HPE has launched HPE Threat Labs to address this evolving threat environment. By uniting the world-class security research talent and intelligence from HPE and Juniper Networks, HPE Threat Labs brings together deep expertise, and creates an even more extensive data pool to identify and track real-world threats and directly inform HPE products with the threat intelligence needed to detect and block malicious attacks efficaciously.
"HPE Threat Labs was created to bridge the gap between cutting-edge research and real-world security outcomes," said David Hughes, SVP & GM, SASE and Security for Networking, HPE. "The In the Wild report shows that today's attackers operate with the discipline, scale, and efficiency of global enterprises, and defending against them requires the same level of strategy, integration, and operational rigor. By translating threat intelligence into our products, HPE Threat Labs is helping organizations reduce risk, limit disruption, and protect the systems their businesses depend on."
The HPE Threat Labs 2026 In the Wild Threat Report is available now and is intended for CISOs, security leaders, and IT decision-makers seeking to understand how modern attackers operate and how to stop them. Explore the HPE showcase during RSA Conference 2026, March 23–26, at booth #1255, South Hall, Moscone Center.
Methodology
HPE Threat Labs compiled the findings in the HPE Threat Labs 2026 In the Wild Threat Report using multiple intelligence sources. The majority of statistical data is derived from the Juniper Advanced Threat Prevention Cloud customer telemetry and a private global network of honeypots. These honeypots, including TCP, SSH, and SMB variants, are distributed worldwide to capture diverse threat activity. Where appropriate, the research is supplemented with contextual data and statistics from open-source threat intelligence repositories and select third-party industry associations. The data presented in this report covers the period from January 1, 2025, through December 31, 2025.
Related Resources:
Recent HPE News:
- HPE unveils new AI-driven security and advanced data protection innovations at Black Hat USA 2025
- HPE Networking Instant On Secure Gateway brings robust enterprise-grade security to small and medium businesses
- Hewlett Packard Enterprise redefines cloud-based security with expansive solutions for zero trust networking and private cloud operations
About HPE
HPE (NYSE:HPE) is a leader in essential enterprise technology, bringing together the power of AI, cloud, and networking to help organizations achieve more. As pioneers of possibility, our innovation and expertise advance the way people live and work. We empower our customers across industries to optimize operational performance, transform data into foresight, and maximize their impact. Unlock your boldest ambitions with HPE. Discover more at www.hpe.com.
View source version on businesswire.com: https://www.businesswire.com/news/home/20260317429570/en/
Media Contacts:
Kelsey Akerson
[email protected]