HPE Threat Labs Report Reveals Cyber Adversaries Accelerate Attacks with Industrial-Scale Tactics

Hewlett Packard Enterprise (HPE) has released its inaugural cyberthreat research report, In the Wild, highlighting a significant transformation in the operational methods of cyber adversaries across various global industries and critical public sectors. The report, based on HPE’s analysis of live threat activity observed throughout 2025, indicates that cybercrime has evolved into an industrial-scale operation. Attackers are leveraging automation and exploiting long-standing vulnerabilities to launch campaigns that repeatedly compromise high-value targets, often outpacing defenders’ responses. For enterprises, effectively countering these aggressive threat campaigns and maintaining digital trust is now a critical business priority.

Evolving Cyber Threat Landscape

The report outlines a global cyber threat environment characterized by scale, organization, and speed. An analysis of 1,186 active threat campaigns conducted worldwide from January 1 to December 31, 2025, reveals a rapidly changing adversary ecosystem marked by professionalism, automation, and strategic targeting. Attackers are utilizing repeatable infrastructures and exploiting long-standing vulnerabilities to precisely target high-value sectors.

Mounir Hahad, Head of HPE Threat Labs, stated that In the Wild reflects the daily realities organizations face. The research is based on real-world threat activity rather than theoretical tests, capturing how attackers behave in active campaigns, adapt, and find success. These insights are crucial for sharpening detection, strengthening defenses, and providing customers with a clearer understanding of the threats that could impact their data, infrastructure, and operations.

Industrial-Scale Operations of Cybercriminals

The report highlights a notable increase in both the volume of attacks and the sophistication of tactics employed by adversaries. Threat actors, including nation-state-linked espionage groups and organized cybercrime operations, are increasingly operating like large enterprises. They utilize hierarchical command structures, specialized teams, and rapid coordination to deploy extensive and industrialized attack infrastructures, demonstrating a deep understanding of commonly used workforce applications.

Government organizations emerged as the most targeted sector globally, with 274 campaigns affecting federal, state, and municipal bodies. The finance and technology sectors followed closely, with 211 and 179 campaigns, respectively, underscoring attackers’ sustained focus on high-value data and financial gain. Other heavily targeted sectors included defense, manufacturing, telecommunications, healthcare, and education. The findings indicate that attackers are strategically prioritizing sectors linked to national infrastructure, sensitive data, and economic stability, emphasizing that no sector is immune to these threats.

Throughout the year, threat actors deployed over 147,000 malicious domains, nearly 58,000 malware files, and exploited 549 vulnerabilities. This professionalization of cybercrime renders attacks more predictable in execution yet more challenging to disrupt, as dismantling one component of an operation rarely halts the broader campaign.

Speed and Impact Enhanced by Automation and AI

The report also notes that attackers have adopted new techniques to enhance their speed and impact. Some operations utilized automated “assembly line” workflows via platforms like Telegram to exfiltrate stolen data in real time. Others employed generative AI to create synthetic voices and deepfake videos for targeted video-phishing (vishing) and executive impersonation fraud. Additionally, an extortion gang conducted market research on virtual private network (VPN) vulnerabilities to refine its intrusion strategies.

These tactics enable threat actors to act more swiftly, target a broader range of victims, and focus efforts on sectors critical to national infrastructure and economic stability. By streamlining their operations and prioritizing high-value targets, attackers can pursue financial gain more efficiently by strategically “following the money.”

Strengthening Cyber Resilience

The report emphasizes that effective defense relies less on adding tools and more on enhancing coordination, visibility, and response across networks. Organizations can adopt several strategies to bolster their security posture:

• Break down silos by sharing threat intelligence across corporate teams, customers, and industries, while employing a secure access service edge (SASE) approach to unify networking and security and surface attack patterns earlier.
• Patch common entry points such as VPNs, SharePoint, and edge devices to minimize exposure and eliminate frequently exploited pathways into the network.
• Implement zero trust principles to enhance authentication and restrict lateral movement, with zero trust network access (ZTNA) continuously verifying users and devices before granting access.
• Enhance visibility and response with threat intelligence, deception technologies, and AI-native detection, enabling organizations to detect, analyze, and respond to attacks with greater speed and accuracy.
• Extend security beyond the corporate perimeter to encompass home networks, third-party tools, and supply chain environments.

These measures can assist organizations in moving more swiftly, reducing risk, and improving defenses against increasingly organized and persistent threats.

HPE Threat Labs: Advancing Network Defense

In response to the evolving threat landscape, HPE has established HPE Threat Labs, combining the security research expertise of HPE and Juniper Networks. This initiative aims to create a comprehensive data pool for identifying and tracking real-world threats, directly informing HPE products with the necessary threat intelligence to effectively detect and block malicious attacks.

David Hughes, Senior Vice President and General Manager of SASE and Security for Networking at HPE, noted that HPE Threat Labs was created to bridge the gap between advanced research and practical security outcomes. The In the Wild report illustrates that today’s attackers operate with the discipline, scale, and efficiency of global enterprises, necessitating a similar level of strategy, integration, and operational rigor in defense efforts. By translating threat intelligence into its products, HPE Threat Labs aims to help organizations mitigate risk, limit disruption, and safeguard the systems essential for business operations.

The HPE Threat Labs 2026 In the Wild Threat Report is now available, targeting CISOs, security leaders, and IT decision-makers seeking insights into modern attacker operations and effective countermeasures. The HPE showcase will be featured during the RSA Conference 2026, scheduled for March 23–26 at booth #1255, South Hall, Moscone Center.

Methodology

The findings in the HPE Threat Labs 2026 In the Wild Threat Report were compiled using multiple intelligence sources. Most statistical data is derived from the Juniper Advanced Threat Prevention Cloud customer telemetry and a private global network of honeypots. These honeypots, including TCP, SSH, and SMB variants, are distributed worldwide to capture diverse threat activity. The research is supplemented with contextual data and statistics from open-source threat intelligence repositories and select third-party industry associations. The data presented in this report covers the period from January 1, 2025, through December 31, 2025.

Follow the latest developments and breaking updates in the Latest News section.

Published on 2026-03-18 11:12:00 • By Editorial Desk