Government institutions were the most heavily targeted sector in 2025, according to newly published research from HPE Threat Labs, which documented 1,186 active cyberattack campaigns throughout the year. The dataset reflects activity tracked between January 1 and December 31, 2025, and spans a wide range of industries and attack techniques, offering a broad view of how threat actors are operating at scale.
Out of all industries analyzed, government bodies accounted for the largest share, with 274 recorded campaigns. The financial services sector followed with 211, while technology companies experienced 179 campaigns. Defense-related organizations were targeted in 98 cases, and manufacturing entities saw 75. Telecommunications and healthcare sectors each registered 63 campaigns, while education and transportation sectors reported 61 incidents each. The distribution shows a clear trend: attackers are prioritizing sectors responsible for sensitive information, essential services, and large operational systems.
Researchers also observed a growing reliance on automation and artificial intelligence to accelerate cyber operations. Some threat groups have adopted highly organized workflows resembling production lines, enabling faster execution of attacks. These operations are often coordinated through platforms such as Telegram, where attackers can manage tasks and extract compromised data in real time.
In addition to automation, generative artificial intelligence is being actively used to enhance social engineering techniques. Cybercriminals are now creating synthetic voice recordings and deepfake videos to carry out vishing attacks and impersonate senior executives with greater credibility. In one identified case, an extortion group conducted detailed research into vulnerabilities in virtual private networks, allowing them to refine and improve their methods of gaining unauthorized access.
When examining the types of threats, ransomware emerged as the most prevalent, making up 22 percent of all campaigns. Infostealer malware followed at 19 percent, with phishing attacks accounting for 17 percent. Remote Access Trojans represented 11 percent, while other forms of malware comprised 9 percent of the total activity.
The scale of malicious infrastructure uncovered during the analysis further underscores the intensity of the threat environment. Investigators identified 147,087 harmful domains and 65,464 malicious URLs. In addition, 57,956 malicious files and 47,760 IP addresses were linked to cybercriminal operations. Over the course of the year, attackers exploited 549 distinct software vulnerabilities.
Insights from a global deception network revealed 44.5 million connection attempts originating from 372,800 unique IP addresses. Among these, 36,600 requests matched known attack signatures and were traced to 8,200 distinct source IPs targeting five specific destination systems.
A closer examination of attack patterns shows that cybercriminals frequently focus on exposed systems and known weaknesses. Remote code execution vulnerabilities in digital video recorders were triggered approximately 4,700 times. Exploitation attempts targeting Huawei routers were observed 3,490 times, while misuse of Docker application programming interfaces occurred in about 3,400 cases.
Other commonly exploited weaknesses included command injection vulnerabilities in PHPUnit and TP-Link systems, each recorded around 3,100 times. Printer-related enumeration attacks using Internet Printing Protocol, along with Realtek UPnP exploitation, were each observed roughly 2,700 times.
The vulnerabilities most frequently targeted during these campaigns included CVE-2017-17215, CVE-2023-1389, CVE-2014-8361, CVE-2017-9841, and CVE-2023-26801, all of which have been widely documented and continue to be exploited in systems that remain unpatched.
Beyond the raw data, the findings reflect a dynamic development in cybercrime. Attackers are combining automation, artificial intelligence, and well-known vulnerabilities to increase both the speed and scale of their operations. This shift reduces the time required to identify targets, exploit weaknesses, and generate impact, making modern cyberattacks more efficient and harder to contain.
The report points to the crucial need for organizations to strengthen their defenses by continuously monitoring systems, addressing known vulnerabilities, and adapting to rapidly evolving threat techniques. As attackers continue to refine their methods, proactive security measures are becoming essential to limit exposure and reduce risk across all sectors.
