HPE has launched HPE Threat Labs and published its first cyberthreat research report, based on analysis of 1,186 active threat campaigns observed worldwide through 2025.
The findings suggest threat actors are organising their operations like large businesses, using structured teams, automation and repeatable processes to scale attacks across sectors.
Government was the most targeted sector, with 274 campaigns recorded over the year. Finance followed with 211 campaigns and technology with 179, while defence, manufacturing, telecommunications, healthcare and education also faced sustained activity.
The report also outlines the scale of the infrastructure behind these campaigns. Over the year, threat actors deployed more than 147,000 malicious domains, nearly 58,000 malware files and exploited 549 vulnerabilities.
That volume reflects a shift towards more standardised and resilient criminal operations. Rather than relying on isolated attacks, groups are using broader systems that can continue operating even when parts of their infrastructure are taken down.
AI And Automation
One of the report’s more notable trends is the use of generative AI in fraud and social engineering. Attackers are using synthetic voices and deepfake video to imitate executives in targeted scams, including video phishing and impersonation fraud.
Some groups also used automated Telegram workflows to move stolen data in real time. In another example, an extortion gang carried out market research on virtual private network vulnerabilities to refine its intrusion methods.
These methods suggest attackers are not only increasing volume but also improving the speed and coordination of campaigns. The report describes an adversary landscape marked by organisation, specialisation and a focus on targets tied to public infrastructure, sensitive information and financial returns.
Mounir Hahad, head of HPE Threat Labs, said the research was based on observed attacks rather than simulations. “In the Wild reflects the reality organizations face every day,” Hahad said. “Our research is grounded in real-world threat activity, not theoretical tests in controlled lab scenarios. It captures how attackers behave in active campaigns, how they adapt, and where they are finding success. These first-hand observations and insights help sharpen detection, strengthen defenses, and give customers a clearer view of the threats most likely to impact their data, infrastructure, and operations. That means stronger security, faster response, and greater resilience in the face of increasingly organized and persistent attacks.”
Research Unit
HPE Threat Labs combines security research teams and intelligence from HPE and Juniper Networks. The unit is designed to track threats in live environments and feed that intelligence into HPE’s security products.
The methodology described in the report relies mainly on telemetry from Juniper Advanced Threat Prevention Cloud customers and a private network of honeypots distributed globally. Those systems include TCP, SSH and SMB variants designed to capture a range of threat activity, with additional context from open-source repositories and selected industry associations.
The launch comes as cybersecurity vendors seek to show closer links between threat intelligence and product development. For HPE, the creation of a unified threat research unit also reflects the broader integration of Juniper assets and expertise into its networking and security business.
David Hughes, SVP and GM of SASE and Security for Networking at HPE, linked that move to the changing shape of cybercrime. “HPE Threat Labs was created to bridge the gap between cutting-edge research and real-world security outcomes,” Hughes said. “The In the Wild report shows that today’s attackers operate with the discipline, scale, and efficiency of global enterprises, and defending against them requires the same level of strategy, integration, and operational rigor. By translating threat intelligence into our products, HPE Threat Labs is helping organizations reduce risk, limit disruption, and protect the systems their businesses depend on.”
Defensive Steps
The report says companies should focus less on adding tools and more on coordination, visibility and response. It highlights intelligence sharing across teams and industries, patching common entry points such as VPNs, SharePoint and edge devices, and using zero-trust approaches to limit lateral movement inside networks.
It also recommends broader coverage beyond the traditional corporate perimeter, including home networks, third-party software and supply chain environments. The report argues that attacks now move across a wider set of connected systems, making gaps in oversight more consequential.
The findings portray cybercrime as increasingly methodical. Government, finance and technology may be the most frequent targets in HPE’s data, but the spread across other sectors suggests the industrialisation of attack methods is no longer confined to a narrow group of high-profile victims.
Click Here For The Original Source.
