Cybercriminals are embracing the playbook of large global enterprises, scaling their operations with automation, sophisticated tooling and industrialized infrastructure to launch faster, broader attacks than ever before. That is the central warning of In the Wild, the inaugural global cyberthreat report released today by HPE Threat Labs.
Drawing on analysis of 1,186 active threat campaigns observed throughout 2025, the report reveals a rapidly professionalizing adversary ecosystem—one defined by hierarchy, division of labor, repeatable attack infrastructure and a deep understanding of commonly used enterprise technologies. The data shows that cybercrime has “gone industrial,” with attackers exploiting long-standing vulnerabilities to repeatedly compromise high-value targets at speed.
“In the Wild gives us a real-time window into how attackers operate—not hypothetical behavior, but what’s actually happening across live campaigns.”
— Mounir Hahad, Head of HPE Threat Labs, HPE
According to HPE Threat Labs, government agencies were the most targeted sector globally, facing 274 coordinated campaigns across federal, state and municipal bodies. Financial institutions and technology companies followed, with 211 and 179 campaigns respectively, underscoring cyber adversaries’ strategic focus on sectors tied to national infrastructure, sensitive data and economic stability. Manufacturing, telecom, healthcare, education and defense organizations also faced intense pressure.
The scale of malicious activity was striking: more than 147,000 malicious domains, nearly 58,000 malware files, and 549 exploited vulnerabilities were documented across the year. HPE notes that dismantling any single component—such as a domain or server—rarely disrupts the full campaign, as modern cybercriminal operations are built with redundancy and resilience in mind.
“Attackers today operate with the discipline, speed and scale of global enterprises. Defending against them requires the same rigor.”
— David Hughes, SVP & GM, SASE and Security for Networking, HPE
Attackers also accelerated their operations with automation and AI. Some groups used “assembly-line” data theft workflows over Telegram, while others deployed generative AI to create synthetic voices and deepfake videos for targeted vishing and impersonation attacks. One extortion gang even performed structured “market research” on VPN vulnerabilities before choosing its targets.
In response to this escalating landscape, HPE has launched HPE Threat Labs, combining deep security expertise from HPE and Juniper Networks to deliver real-world threat intelligence directly into HPE’s security products.
The HPE Threat Labs 2026 In the Wild Threat Report is now available for CISOs and security leaders seeking practical insights into how modern attackers operate—and how to strengthen resilience against them.