HPE Threat Labs Report Reveals Cyber Adversaries Are Morphing Their Business Model to Scale and Accelerate Attacks

Key Terms

generative ai technical

Generative AI is a type of computer technology that can create new content, like text, images, or music, on its own. It’s important because it can produce realistic and useful material quickly, which could change how we create art, write stories, or even develop new products. Think of it as a smart robot that can invent and produce things almost like a human.

deepfake technical

A deepfake is an audio or video created or altered by artificial intelligence to make someone appear to say or do things they never did; think of it as a highly convincing digital impersonation. For investors, deepfakes matter because they can trigger sudden swings in a company’s stock, spread false news, enable fraud or insider manipulation, and raise legal or reputation risks that affect a firm's value and regulatory exposure.

secure access service edge (sase) technical

A secure access service edge (SASE) is a cloud-delivered approach that combines networking and cybersecurity into a single service to connect users, devices and branch offices to applications wherever they are. Think of it as replacing separate roads and security checkpoints with one managed highway that both directs traffic and screens travelers; for investors, SASE matters because it can drive predictable subscription revenue, lower operational costs, and reduce security risk for customers.

zero trust technical

Zero trust is a security approach that assumes no one, whether inside or outside an organization, should be automatically trusted. Instead, every access request is carefully verified before being granted, much like checking ID at every door rather than trusting someone just because they are known. For investors, it emphasizes the importance of protecting digital assets and data from potential breaches, reducing overall risk.

honeypots technical

A honeypot is a deliberately placed fake computer system or file designed to lure and catch hackers by imitating real company resources; think of it as a decoy safe that looks valuable so thieves reveal themselves. For investors, honeypots matter because they can help detect breaches early, limit damage and show a company is actively managing cyber risk — all of which affect operational continuity, legal exposure and the firm's reputation.

• Cyber adversaries adopt business-like models to target every major sector, HPE finds
• Generative AI used to produce synthetic voices, images and videos for targeted impersonation fraud campaigns
• World-class network threat research expertise and experience brought together in new HPE Threat Labs

HOUSTON--(BUSINESS WIRE)-- HPE (NYSE: HPE) today unveiled the results of its inaugural cyberthreat research report, In the Wild, showing a striking shift in how modern cyber adversaries operate at scale across global industries and critical public sectors. Based on HPE’s analysis of live threat activity observed globally throughout 2025, the report shows that cybercrime has gone industrial, with attackers using automation and long-standing vulnerabilities to scale campaigns and repeatedly compromise high-value targets faster than defenders can respond. For enterprises, the ability to overcome these aggressive threat campaigns effectively and retain digital trust within their networks is a fundamental business priority.

The report shows a global cyber threat environment defined by scale, organization and speed. Based on the cyber analysis of 1,186 active threat campaigns observed worldwide between January 1 and December 31, 2025, the findings reveal a rapidly evolving adversary ecosystem defined by professionalism, automation and strategic targeting, with attackers using repeatable infrastructure and long-standing vulnerabilities to target high-value sectors with precision.

“In the Wild reflects the reality organizations face every day,” said Mounir Hahad, Head of HPE Threat Labs, HPE. “Our research is grounded in real-world threat activity, not theoretical tests in controlled lab scenarios. It captures how attackers behave in active campaigns, how they adapt, and where they are finding success. These first-hand observations and insights help sharpen detection, strengthen defenses, and give customers a clearer view of the threats most likely to impact their data, infrastructure, and operations. That means stronger security, faster response, and greater resilience in the face of increasingly organized and persistent attacks.”

Industrial-scale infrastructure fuels modern threat campaigns

As this inaugural report shows, HPE Threat Labs observed an increase in both the volume of attacks and the sophistication of adversary tactics and techniques. Threat actors, including nation-state-linked espionage groups and organized cybercrime operations, increasingly ran their operations like large enterprises, using hierarchical command structures, specialized teams, rapid coordination to deploy expansive and industrialized attack infrastructures, and a deep understanding of commonly used workforce applications and documents.

Government organizations were the most targeted sector globally, accounting for 274 campaigns spanning federal, state and municipal bodies. The finance and technology sectors followed closely, with 211 and 179 campaigns, respectively, reflecting attackers’ sustained focus on high-value data and financial gain. Defense, manufacturing, telecommunications, healthcare and education organizations were also heavily targeted. Together, these findings underscore that attackers are strategically prioritizing sectors tied to national infrastructure, sensitive data and economic stability, but reinforce that no sector is immune.

Over the course of the year, threat actors deployed more than 147,000 malicious domains, nearly 58,000 malware files, and actively exploited 549 vulnerabilities. This professionalization of cybercrime makes attacks more predictable in execution, yet harder to disrupt, as dismantling one component of an operation rarely stops the broader campaign.

Automation and AI tools accelerate attacker speed and impact

Attackers also adopted new techniques to increase speed and impact. Some operations used automated “assembly line” workflows over platforms like Telegram to exfiltrate stolen data in real time. Others leveraged generative AI to produce synthetic voices and deepfake videos for targeted video-phishing (vishing) and executive impersonation fraud, while an extortion gang did market research on virtual private network (VPN) vulnerabilities to optimize its intrusion strategy.

These tactics allowed threat actors to move faster, reach more targets and concentrate efforts on sectors tied to national infrastructure, critical data and economic stability. By streamlining operations and prioritizing high-value targets, threat actors were able to pursue financial gain with greater efficiency by strategically “following the money.”

Practical steps to strengthen cyber resilience

The report underscores that effective defense depends less on adding tools and more on improving coordination, visibility, and response across the network. Organizations can take the following steps to improve their security posture:

• Break down silos by sharing threat intelligence across corporate teams, customers, and industries, while using a secure access service edge (SASE) approach to unify networking and security and surface attack patterns earlier.
• Patch common entry points such as VPNs, SharePoint, and edge devices to reduce exposure and shut down frequently exploited paths into the network.
• Apply zero trust principles to strengthen authentication and limit lateral movement, with zero trust network access (ZTNA) continuously verifying users and devices before granting access.
• Improve visibility and response with threat intelligence, deception technologies, and AI-native detection, helping organizations detect, analyze, and respond to attacks with greater speed and accuracy.
• Extend security beyond the corporate perimeter to home networks, third-party tools, and supply chain environments.

Together, these steps can help organizations move faster, reduce risk, and better defend against increasingly organized and persistent threats.

Combined HPE Threat Labs raises the bar for network defense

Building upon long-standing expertise, HPE has launched HPE Threat Labs to address this evolving threat environment. By uniting the world-class security research talent and intelligence from HPE and Juniper Networks, HPE Threat Labs brings together deep expertise, and creates an even more extensive data pool to identify and track real-world threats and directly inform HPE products with the threat intelligence needed to detect and block malicious attacks efficaciously.

“HPE Threat Labs was created to bridge the gap between cutting-edge research and real-world security outcomes,” said David Hughes, SVP & GM, SASE and Security for Networking, HPE. “The In the Wild report shows that today’s attackers operate with the discipline, scale, and efficiency of global enterprises, and defending against them requires the same level of strategy, integration, and operational rigor. By translating threat intelligence into our products, HPE Threat Labs is helping organizations reduce risk, limit disruption, and protect the systems their businesses depend on.”

The HPE Threat Labs 2026 In the Wild Threat Report is available now and is intended for CISOs, security leaders, and IT decision-makers seeking to understand how modern attackers operate and how to stop them. Explore the HPE showcase during RSA Conference 2026, March 23–26, at booth #1255, South Hall, Moscone Center.

Methodology

HPE Threat Labs compiled the findings in the HPE Threat Labs 2026 In the Wild Threat Report using multiple intelligence sources. The majority of statistical data is derived from the Juniper Advanced Threat Prevention Cloud customer telemetry and a private global network of honeypots. These honeypots, including TCP, SSH, and SMB variants, are distributed worldwide to capture diverse threat activity. Where appropriate, the research is supplemented with contextual data and statistics from open-source threat intelligence repositories and select third-party industry associations. The data presented in this report covers the period from January 1, 2025, through December 31, 2025.

Related Resources:

• HPE Threat Labs 2026 In the Wild Threat Report

Recent HPE News:

• HPE unveils new AI-driven security and advanced data protection innovations at Black Hat USA 2025
• HPE Networking Instant On Secure Gateway brings robust enterprise-grade security to small and medium businesses
• Hewlett Packard Enterprise redefines cloud-based security with expansive solutions for zero trust networking and private cloud operations

About HPE

HPE (NYSE: HPE) is a leader in essential enterprise technology, bringing together the power of AI, cloud, and networking to help organizations achieve more. As pioneers of possibility, our innovation and expertise advance the way people live and work. We empower our customers across industries to optimize operational performance, transform data into foresight, and maximize their impact. Unlock your boldest ambitions with HPE. Discover more at www.hpe.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260317429570/en/

Media Contacts:

Kelsey Akerson

kelsey.akerson@hpe.com

Source: Hewlett Packard Enterprise