HPE report finds cybercrime operations scaling with enterprise-like precision

HPE has released its inaugural In the Wild threat report, outlining how cyber adversaries are operating at scale with increasing organisation and speed. The findings are based on analysis of 1,186 active threat campaigns observed globally between 1 January and 31 December 2025.

The report points to a shift in how attacks are structured and executed. Threat actors are using automation, repeatable infrastructure and long-standing vulnerabilities to run campaigns more efficiently, allowing them to target high-value organisations faster than many defenders can respond.

Campaign scale and sector targeting

Government organisations were the most frequently targeted, with 274 campaigns recorded across federal, state and municipal bodies. The finance and technology sectors followed with 211 and 179 campaigns respectively, reflecting sustained interest in sensitive data and financial gain.

Other sectors including defence, manufacturing, telecommunications, healthcare and education also faced significant activity. The distribution indicates that attackers are concentrating on areas tied to national infrastructure and economic systems, while maintaining broad coverage across industries.

Across these campaigns, threat actors deployed more than 147,000 malicious domains, nearly 58,000 malware files, and exploited 549 vulnerabilities. Many of these vulnerabilities were not new, highlighting continued reliance on known entry points.

HPE noted that these operations are increasingly structured. Adversaries, including nation-state-linked groups and organised cybercrime networks, are running coordinated campaigns using specialised teams and shared infrastructure, allowing techniques to be reused across targets.

Automation and AI in attack workflows

The report also identifies changes in how attacks are executed. Some threat actors are using automated workflows to extract and distribute stolen data in real time, including systems built on messaging platforms.

Generative AI has also been adopted to support social engineering tactics. Attackers are producing synthetic voices and deepfake videos for impersonation fraud, including video-phishing and executive targeting.

In one example, an extortion group conducted targeted research into virtual private network vulnerabilities before launching attacks. This approach allowed them to refine intrusion strategies and improve success rates.

These methods increase both speed and reach. By streamlining processes and focusing on high-value targets, threat actors are able to conduct more campaigns with greater efficiency.

Persistent weaknesses and entry points

Despite the scale and sophistication of attacks, the report highlights that many breaches still rely on common weaknesses. Attackers continue to exploit known vulnerabilities in widely used systems such as VPNs, SharePoint and edge devices.

The data also shows continued reliance on weak credentials and poorly secured access points. Malware families such as Dynamer, Eldorado, Variant and Emotet remain active, indicating that established threats continue to be effective.

In addition, the report notes that attack infrastructure is globally distributed. Telemetry shows high volumes of activity originating from countries including the United States, Seychelles and China, with the presence of certain regions linked to hosting environments that facilitate malicious activity.

HPE consolidates threat research capabilities

Alongside the report, HPE has introduced HPE Threat Labs, combining security research and intelligence capabilities from HPE and Juniper Networks. The unit is intended to consolidate threat visibility and feed intelligence directly into HPE’s security products.

“In the Wild reflects the reality organisations face every day,” said Mounir Hahad, Head of HPE Threat Labs, HPE. “Our research is grounded in real-world threat activity, not theoretical tests in controlled lab scenarios. It captures how attackers behave in active campaigns, how they adapt, and where they are finding success.”

HPE said the report is aimed at CISOs, security leaders and IT decision-makers seeking a clearer view of current threat activity and defensive priorities.

Focus on coordination and response

The report states that improving security outcomes depends less on adding new tools and more on coordination and visibility across systems. Recommended steps include sharing threat intelligence across teams, patching common entry points, applying zero trust principles and extending security controls beyond corporate networks.

It also highlights the need for faster detection and response through threat intelligence, deception technologies and AI-based systems.

The findings are based on data from HPE Threat Labs, including telemetry from the Juniper Advanced Threat Prevention Cloud and a global network of honeypots, covering activity observed throughout 2025.