HPE Report: Shifting Cybercrime Models Accelerate Attacks

HPE Corporation ( NYSE: HPE) today unveiled the results of its first cyber threat research report, " In The Wild," which highlights a major shift in how modern cyber adversaries operate at scale across various global industries and critical public sectors.

The report is based on an analysis HPE for Globally Monitored Actual Threat Activities in 2025, revealing that cybercrime is now being managed in a manner similar to organized industrial processes, where attackers use automation and exploit known vulnerabilities to carry out large-scale attacks and penetrate high-value targets repeatedly and quickly beyond the ability of defenders to respond. For organizations, the ability to effectively counter these aggressive attack campaigns and maintain digital trust Within their networks it has become a primary priority.

The report shows that the global cyber threat environment is becoming large-scale, organized, and agile. Based on an online analysis of 1,186 active threat campaigns monitored around the world between January 1 and December 31, 2025, the results reveal a rapidly evolving attacker ecosystem characterized by professionalism, automation, and strategic targeting, using repeatable infrastructure and legacy security vulnerabilities to target high-value sectors with precision.

Commenting on the report, Mounir Hahad, Head of HPE Threat Labs, explained, that the report "In the Wild""Reflecting the reality that organizations face on a daily basis, the research is based on real threat activities rather than theoretical testing in tight laboratory environments, where it monitors the actions of attackers during their active campaigns, how they adapted, and the reasons for their success.

"These first-hand observations and insights contribute to enhanced detection and defense capabilities, and give customers clearer insight into potential threats affecting their data and architecture infrastructure and their operations. This means stronger security, a faster response, and greater resilience to increasingly organized and ongoing attacks."

Large-scale infrastructure fuels modern threat campaigns

This first-of-its-kind report shows that HPE Threat Labs has observed a significant increase in the volume of attacks and the evolution of the methods and techniques used by cyber adversaries. These include entities associated with countries that practice cyberespionage and organized cybercrime networks, where they are now running their business like large corporations, using hierarchical command structures, specialized teams, rapid coordination to deploy large-scale attack infrastructures with an organized industrial finger, and a deep understanding of applications and documentation commonly used within work environments.

The results show that government organizations were the most targeted sector globally, with 274 attack campaigns targeting federal, regional, and municipal entities, followed by the finance and technology sectors, which recorded 211 and 179 attacks, respectively, reflecting the attackers' continued focus on valuable data and financial gain. Defense, manufacturing, communications, healthcare, and education institutions have also been subjected to intense attacks. Taken together, these findings suggest that attackers are strategically focusing on sectors related to national infrastructure, sensitive data, and economic stability, but they also confirm that no sector is immune from these attacks.

Over the course of the year, cyber adversaries deployed more than 147,000 malicious campaigns, nearly 58,000 malware files, and actively exploited 549 vulnerabilities. This professional development in cybercrime makes attacks more predictable in terms of execution, but at the same time they are difficult to disrupt, because dismantling a component of the process often does not stop the campaign altogether .

Automation and AI tools accelerate the pace and impact of attacks

Attackers have adopted new techniques to increase the speed and impact of attacks, and some processes have used an automated "aggregation line" workflow across platforms such as Telegram to extract stolen data in real-time. Others have also exploited generative AI to produce artificial voices and fake deepfake videos for use in video phishing attacks (voice phishing) and impersonation of executives. One extortion gang conducted market research on VPN vulnerabilities (VPN) to improve its hacking strategy.

These tactics allowed attackers to move faster, reach a greater number of targets, focusing their efforts on sectors related to national infrastructure, sensitive data, and economic stability. By streamlining operations and focusing on high-value targets, attackers were able to achieve financial gains more efficiently by tracking the sources of funds.

Practical Steps to Enhance Cyber Resilience

The report emphasizes that effective defense does not primarily depend on adding new tools, but on improving network coordination, visibility and response. Organizations can take the next steps to improve their security posture:

• Break isolation by sharing threat information between teams, customers, and industries, while using Secure Access to Edge Network (SASE) approaches to unify networks and security and detect attack patterns early.

• Fix common entry points such as VPNs, sharing points, and peripherals to reduce risk and close routes frequently  exploited by attackers.

• Apply "zero trust" principles to enhance authentication and reduce lateral traffic, by continuously verifying users and devices before granting access.

• Enhance visibility and response through the use of threat intelligence, deception techniques, and AI-powered detection systems, helping organizations detect, analyze, and respond to attacks more quickly and accurately.

• Extend security beyond the corporate framework to include home networks, third-party tools, and supply chain environments.

Together, these steps help organizations move faster, reduce risk, and enhance their ability to respond to ever-growing threats.