Cybercrime that runs like a multinational corporation

We just read a new threat report from HPE, and the numbers are substantial. More than 1,100 active threat campaigns were analysed across 2025, spanning every major sector and region. Behind those campaigns is an ecosystem of more than 147,000 malicious domains, nearly 58,000 malware files, and 549 exploited vulnerabilities.

That scale alone would be enough to make us pause. But what really grabbed us is how those operations are run. 

Threat actors operate with defined roles, specialised functions, and repeatable workflows. The report describes structures that resemble corporate hierarchies, complete with coordination layers and task ownership.

One data-stealing campaign illustrates this clearly. Malware collected credentials and files from infected systems, then pushed them automatically into private Telegram channels. From there, data was processed and monetised in real time, following a pipeline that mirrors a production system. 

Execution is getting increasingly systematic. 

Targeting follows value

The distribution of attacks shows clear prioritisation. Government organisations faced 274 campaigns in 2025 (the highest volume recorded). Financial services and technology followed with 211 and 179 campaigns respectively. 

These sectors hold sensitive data, critical infrastructure, and direct economic value. Attackers are aligning effort with return.

The composition of campaigns reinforces that strategy. Ransomware accounts for 22% of activity, infostealers for 19%, and phishing for 17%. Each category supports monetisation, data extraction, or access expansion.

This is targeted activity with defined outcomes.

Operations are built for efficiency

Telemetry from HPE’s deception network shows us just how efficiently these campaigns run. Across 2025, 44.5 million connection attempts were recorded from 372,800 unique IPs. Within that volume, 36,600 requests matched known attack signatures and originated from just 8,200 IP addresses targeting five destinations.

The concentration is worth noting. A relatively small set of infrastructure delivers repeated, focused activity against specific targets.

Attack techniques follow the same pattern. High-frequency exploits include:

• 4,700 DVR remote code execution attempts
• 3,490 router exploits
• 3,400 Docker API abuses
• 2,700 printer and UPnP reconnaissance attempts

These are reliable attack paths. 

Old vulnerabilities, new discipline

Many of the most exploited vulnerabilities mentioned in the report date back several years. Examples include:

• Huawei router flaws
• Realtek UPnP issues
• PHPUnit remote code execution vulnerabilities

These weaknesses are still effective because patching gaps persist.

At the same time, attackers continue to rely on weak credentials and familiar malware families. Emotet and similar strains retain a presence due to modular design and evasion techniques.

The underlying issue here is execution, not awareness. 

AI is accelerating the model

With generative AI now very much part of the operational toolkit, threat actors are using synthetic voice and deepfake video to support impersonation and fraud. These techniques enable real-time interaction with targets, which increases the effectiveness of social engineering campaigns. 

And this is happening alongside more traditional preparation. Ransomware groups have been observed researching VPN configurations before launching attacks, tailoring their methods to each environment.

The combination of automation and preparation increases both speed and success rate.

A global infrastructure with local impact

Much like the operations of a multinational corporation, the infrastructure behind these campaigns is distributed and adaptable.

The United States, Seychelles, and China lead in source IP activity, with Seychelles standing out due to the presence of bulletproof hosting providers. 

This reinforces the reality that attack infrastructure is no longer tied to geography in any meaningful way. It can be provisioned, relocated, and scaled with minimal friction – so defensive assumptions based on location are less and less relevant. 

For CISOs, there are a few key takeaways here: 

• Prioritise patching and credential hygiene across all exposed systems
• Focus on high-frequency attack paths such as routers, APIs, and embedded devices
• Treat threat actors as organised operators with repeatable processes

The tools are familiar, and the vulnerabilities are often known. The difference today lies in how attacks are organised and refined over time.

And that discipline turns individual exploits into sustained campaigns.