HPE has announced the results of its first global cybersecurity report, “In the Wild”, revealing a significant shift in how cyberattackers operate on an international scale, especially in critical industrial sectors and public utilities.
The report, based on actual activity detected by HPE systems throughout 2025, confirms that cybercrime has entered a phase of industrialization. Attackers are combining automated techniques with the exploitation of old yet still unpatched vulnerabilities, enabling them to expand their operations, compromise critical assets, and maintain constant pressure on organizations. This scenario compels companies to strengthen their digital strategy and position cybersecurity as a key pillar of their business.
The study analyzes a total of 1,186 active campaigns, describing an environment characterized by speed, organization, and sophistication. According to the report, cybercrime groups are increasingly functioning like true professional entities: reusing infrastructures, automating attacks, and selecting strategic targets with increasingly precise approaches.
“In the Wild” shows what is really happening in the day-to-day operations of organizations, explains Mounir Hahad, head of HPE Threat Labs. “Our research focuses on real threats, not simulations. We analyze how attackers behave in live campaigns, how their tactics evolve, and what is working for them. This data improves detection, strengthens defenses, and gives our clients a clear view of the most probable threats. Ultimately, it helps them become more agile and resilient against increasingly organized attacks.”
Industrial-scale infrastructure drives current threat campaigns
As outlined in this first report, HPE Threat Labs has observed increases in both attack volume and the sophistication of tactics and techniques used. Threat actors include espionage groups linked to states and organized cybercrime organizations, operating with a level of organization comparable to large corporations: adopting hierarchical structures, specialized teams, and agile coordination mechanisms to deploy broad, industrialized attack infrastructures, as well as demonstrating deep knowledge of common applications and documents used in workplace environments.
The public sector was the most targeted globally, with 274 campaigns directed at federal, state, and municipal agencies. Close behind were the financial and technology sectors, with 211 and 179 campaigns, respectively, reflecting attackers’ sustained interest in high-value data and profit. There was also high activity against defense organizations, manufacturing, telecommunications, healthcare, and education. Collectively, these figures highlight that attackers strategically prioritize sectors linked to critical infrastructure, sensitive information, and economic stability, though no sector is entirely exempt from risk.
Throughout the year, threat actors deployed over 147,000 malicious domains, nearly 58,000 malware files, and actively exploited 549 vulnerabilities. This level of cybercrime professionalism makes attacks more predictable in execution but also harder to interrupt, as dismantling a single component rarely halts the entire operation.
Automation and AI tools accelerate attack speed and impact
Attackers have also adopted new techniques to gain speed and efficiency. Some operations use automated workflows, akin to an assembly line, leveraging platforms like Telegram to exfiltrate stolen data in real time. Others utilize generative AI to create synthetic voices and deepfake videos for targeted fraud, such as vishing or executive impersonation. Additionally, a specialized extortion group conducted market analysis on VPN vulnerabilities to optimize their intrusion strategies.
These tactics enable attackers to act more quickly, expand their reach, and focus efforts on critical sectors. By optimizing operations and prioritizing high-value targets, they maximize economic gains more efficiently, strategically tracking the flow of money.
Practical measures to enhance cyber resilience
The report emphasizes that effective defense depends less on adding new tools and more on improving coordination, visibility, and response capabilities across the network. In this regard, organizations should adopt the following measures to strengthen security:
- Eliminate silos by sharing threat intelligence among internal teams, clients, and industries, supporting a SASE (Secure Access Service Edge) approach that unifies network and security to detect attack patterns earlier.
- Patch common entry points such as VPNs, SharePoint, or endpoint devices to reduce exposure and close frequently exploited access routes.
- Apply zero trust principles to reinforce authentication and limit lateral movement, using solutions like ZTNA (Zero Trust Network Access) that continuously verify users and devices before granting access.
- Improve visibility and response capabilities through threat intelligence, deception technologies, and native AI detection, enabling faster and more accurate attack identification, analysis, and mitigation.
- Extend security beyond the corporate perimeter to include home networks, third-party tools, and supply chain environments.
Together, these measures help organizations act more nimbly, reduce risks, and bolster their defenses against increasingly organized and persistent threats.
HPE Threat Labs raises the bar for network defense
Building on a solid track record in research, HPE has launched HPE Threat Labs to address a constantly evolving threat landscape. By integrating top-tier security talent and intelligence from HPE and Juniper Networks, HPE Threat Labs combines deep specialized knowledge and significantly increases the volume of data available to identify and track real threats. This integration directly feeds into HPE solutions, providing the necessary intelligence to detect and block malicious attacks more effectively.
“HPE Threat Labs was created to connect advanced research with real-world security applications,” says David Hughes, SVP & GM of SASE and Security for Networking at HPE. “The “In the Wild” report demonstrates that current attackers operate with the discipline, scale, and efficiency typical of large global organizations. Combating them requires the same level of strategy, integration, and operational rigor. By bringing threat intelligence into our products, HPE Threat Labs helps organizations reduce risks, minimize attack impacts, and protect the vital systems their businesses depend on.”