HPE report warns cyberattacks now run like big business
HPE has launched a new threat research unit and published its first global report on live cyberattack activity, arguing that adversaries are increasingly running campaigns with the structure and repeatability of large businesses.
The report, called In the Wild, draws on threat activity observed during 2025 and covers 1,186 active campaigns. It describes an attack environment shaped by scale, organisation and speed. Defenders often face repeated exploitation of long-standing vulnerabilities, with attackers moving faster than incident response teams can contain them.
Scale and targeting
Government organisations were the most targeted sector in the dataset, with 274 campaigns spanning federal, state and municipal bodies. Finance followed with 211 campaigns, and technology recorded 179. The report also identifies heavy targeting across defence, manufacturing, telecommunications, healthcare and education.
The figures suggest broad sector coverage rather than narrow specialisation. Government and other critical services remain persistent targets because of their proximity to national infrastructure and sensitive data. Attackers also continued to pursue financial returns through sectors that process payments, manage identity data, or support business operations at scale.
Over the year, HPE Threat Labs recorded more than 147,000 malicious domains and nearly 58,000 malware files, and tracked active exploitation of 549 vulnerabilities. The report describes a pattern in which taking down one part of an operation does not necessarily end a campaign, because attackers reuse infrastructure and methods across multiple targets.
HPE frames this as a shift in operating model rather than a single technique. Campaigns increasingly rely on repeatable workflows, specialised roles within threat groups, and rapid coordination. The report also points to a focus on commonly used workplace applications and document formats, which can make fraudulent messages appear routine inside an organisation.
Automation and deepfakes
The report highlights the use of automation in exfiltration and operational management. Some groups used "assembly line" workflows across platforms such as Telegram to move stolen data in real time. It also describes an extortion group using market research-studying virtual private network vulnerabilities-to guide intrusion planning.
Another theme is the use of generative AI in social engineering. Attackers used synthetic voices, images and videos in targeted impersonation fraud. The report flags video phishing and executive impersonation as areas where deepfakes can increase the credibility of scams and reduce the time needed to tailor lures.
"In the Wild reflects the reality organisations face every day," said Mounir Hahad, Head of HPE Threat Labs at HPE.
"Our research is grounded in real-world threat activity, not theoretical tests in controlled lab scenarios. It captures how attackers behave in active campaigns, how they adapt, and where they are finding success. These first-hand observations and insights help sharpen detection, strengthen defences, and give customers a clearer view of the threats most likely to impact their data, infrastructure, and operations. That means stronger security, faster response, and greater resilience in the face of increasingly organised and persistent attacks."
Defensive priorities
The report argues that defensive performance depends as much on execution across teams as on security tooling. It calls for tighter coordination and improved network visibility, and recommends sharing threat intelligence internally and with partners and industry peers. It also points to secure access service edge as an architectural approach that unifies networking and security controls under a single policy framework.
Patch management remains a continuing gap, with VPNs, SharePoint and edge devices cited as common entry points. The report recommends applying zero trust principles, with continuous checks on users and devices before access is granted. It also highlights threat intelligence, deception technologies and AI-native detection as ways to speed analysis and response.
Supply chain exposure and remote working environments also feature in the guidance. The report recommends extending security controls beyond the corporate perimeter and increasing scrutiny of third-party tools and home networks, which can provide indirect routes into enterprise systems.
New research unit
Alongside the report, HPE has formed HPE Threat Labs by combining security research and intelligence resources from HPE and Juniper Networks. The unit will use telemetry and research data to track threats and inform security products.
"HPE Threat Labs was created to bridge the gap between cutting-edge research and real-world security outcomes," said David Hughes, SVP & GM, SASE and Security for Networking at HPE.
"The In the Wild report shows that today's attackers operate with the discipline, scale, and efficiency of global enterprises, and defending against them requires the same level of strategy, integration, and operational rigor," Hughes said.
HPE says the report is aimed at CISOs, security leaders and IT decision-makers who want a clearer view of attacker operations and effective defensive responses. It also plans further publications from HPE Threat Labs based on ongoing observation of live campaigns.