HPE: Cyber Adversaries Adopting Industrial-Scale Operations to Accelerate Attacks

A new report from Hewlett Packard Enterprise points to a significant shift in how cyber adversaries operate, with attackers increasingly adopting business-like models to scale and accelerate campaigns across industries.

The inaugural “In the Wild” threat report is based on analysis of live global threat activity throughout 2025. It concludes that cybercrime has become more industrialized, with adversaries using automation, repeatable infrastructure and long-standing vulnerabilities to compromise targets more quickly than defenders can respond.

According to the report, HPE analyzed 1,186 active threat campaigns observed between Jan. 1 and Dec. 31, 2025. The findings highlight an ecosystem defined by scale, organization and speed, where attackers demonstrate increasing professionalism and strategic targeting.

Mounir Hahad, head of HPE Threat Labs, said the research reflects real-world attacker behavior rather than controlled testing environments, offering insight into how adversaries adapt and where they are finding success.

Government, finance and technology sectors most targeted

The report identifies government organizations as the most frequently targeted sector, accounting for 274 campaigns spanning federal, state and municipal entities. Finance and technology followed with 211 and 179 campaigns respectively, underscoring continued focus on high-value data and financial gain.

Other sectors facing sustained targeting included defense, manufacturing, telecommunications, healthcare and education. The findings suggest attackers are prioritizing industries tied to national infrastructure, sensitive data and economic stability, while reinforcing that no sector is immune.

Over the course of 2025, threat actors deployed more than 147,000 malicious domains and nearly 58,000 malware files, while exploiting 549 vulnerabilities.

Automation and AI shaping modern attack strategies

The report also details how attackers are using automation and artificial intelligence to increase both speed and impact. Some operations used automated workflows on platforms such as Telegram to exfiltrate stolen data in real time, while others leveraged generative AI to create synthetic voices and deepfake videos for impersonation and fraud campaigns.

In one example, an extortion group conducted market research on virtual private network vulnerabilities to refine its intrusion approach.

These methods allow threat actors to expand their reach and focus on high-value targets, effectively “following the money” while improving operational efficiency, according to the report.

Emphasis on coordination and visibility in defense strategies

Rather than relying solely on additional tools, the report emphasizes improving coordination, visibility and response across networks as key to strengthening cyber resilience.

Recommended measures include sharing threat intelligence across teams and industries, patching commonly exploited systems such as VPNs and edge devices, applying zero trust principles and improving detection capabilities through AI-driven tools and threat intelligence.

The report also highlights the importance of extending security measures beyond corporate networks to include home environments, third-party tools and supply chains.

Launch of HPE Threat Labs

The report coincides with the launch of HPE Threat Labs, which brings together security research and intelligence capabilities from HPE and Juniper Networks.

David Hughes, senior vice president and general manager of SASE and Security for Networking at HPE, said the initiative is intended to bridge the gap between research and operational security outcomes by integrating threat intelligence directly into products.