Infostealers Weekly Report: 2024-02-26 – 2024-03-04
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 Pakistan 1,325
- #2 Brazil 1,185
- #3 Argentina 1,050
- #4 India 910
- #5 Turkey 890
- #6 Peru 881
- #7 Egypt 832
- #8 Indonesia 819
- #9 Philippines 811
- #10 Colombia 807
- #11 Mexico 756
- #12 Algeria 695
- #13 Vietnam 610
- #14 Thailand 600
- #15 Bangladesh 560
- #16 Chile 470
- #17 Venezuela 422
- #18 Morocco 401
- #19 Ecuador 388
- #20 Malaysia 316
- #21 Saudi Arabia 316
- #22 Sri Lanka 294
- #23 Spain 283
- #24 Bolivia 280
- #25 Iraq 254
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 30,543 users
-
#2
facebook.com 28,038 users
-
#3
live.com 25,532 users
-
#4
com.facebook.katana 14,608 users
-
#5
instagram.com 13,755 users
-
#6
netflix.com 12,221 users
-
#7
discord.com 11,668 users
-
#8
roblox.com 10,406 users
-
#9
amazon.com 9,779 users
-
#10
com.netflix.mediaclient 9,637 users
-
#11
com.instagram.android 9,426 users
-
#12
twitter.com 9,295 users
-
#13
steampowered.com 9,261 users
-
#14
microsoftonline.com 7,834 users
-
#15
mega.nz 7,687 users
-
#16
paypal.com 7,504 users
-
#17
apple.com 6,650 users
-
#18
com.roblox.client 6,603 users
-
#19
192.168.1.1 6,564 users
-
#20
twitch.tv 6,395 users
-
#21
linkedin.com 6,389 users
-
#22
spotify.com 6,260 users
-
#23
epicgames.com 5,931 users
-
#24
riotgames.com 5,867 users
-
#25
com.spotify.music 5,824 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
secop.gov.co 143 employees
-
#2
hostinger.com 132 employees
-
#3
buenosaires.gob.ar 86 employees
-
#4
icicibank.com 85 employees
-
#5
laureate.net 78 employees
-
#6
rediff.com 77 employees
-
#7
watchit.com 64 employees
-
#8
163.com 58 employees
-
#9
aiep.cl 56 employees
-
#10
wp.pl 54 employees
-
#11
upc.edu.pe 52 employees
-
#12
bluehost.com 51 employees
-
#13
banquemisr.com 50 employees
-
#14
sat.gob.mx 50 employees
-
#15
rockwellautomation.com 50 employees
-
#16
inacap.cl 49 employees
-
#17
utp.edu.pe 48 employees
-
#18
telecom.pt 48 employees
-
#19
secureserver.net 46 employees
-
#20
jwpub.org 45 employees
-
#21
deped.gov.ph 45 employees
-
#22
naver.com 43 employees
-
#23
sempreser.com.br 41 employees
-
#24
concentrix.com 41 employees
-
#25
o2.pl 40 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
-
#2
microsoft.com 36 employees
-
#3
-
#4
ibm.com 13 employees
-
#5
starwoodhotels.com 7 employees
-
#6
bestbuy.com 5 employees
-
#7
hp.com 5 employees
-
#8
cbre.com 5 employees
-
#9
intel.com 5 employees
-
#10
-
#11
jll.com 4 employees
-
#12
halliburton.com 4 employees
-
#13
ingrammicro.com 4 employees
-
#14
-
#15
duke-energy.com 4 employees
-
#16
wrberkley.com 3 employees
-
#17
csc.com 3 employees
-
#18
ups.com 2 employees
-
#19
frontier.com 2 employees
-
#20
publix.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 1,395 users
-
#8
-
#9
oracle.com 964 users
-
#10
-
#11
cisco.com 826 users
-
#12
nike.com 623 users
-
#13
-
#14
westernunion.com 232 users
-
#15
-
#16
walmart.com 211 users
-
#17
-
#18
fedex.com 196 users
-
#19
adp.com 120 users
-
#20
westerndigital.com 103 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
14,608 users
Netflix
9,637 users
9,426 users
Roblox
6,603 users
Spotify
5,824 users
Discord
5,769 users
Twitch
4,703 users
4,136 users
4,133 users
Snapchat
3,837 users
Wish
2,759 users
Disney
2,637 users
PayPal
2,548 users
Zoom
2,450 users
Mercadolibre
2,356 users
Mega
2,163 users
1,905 users
Waze
1,603 users
Xiaomi
1,538 users
Alibaba
1,438 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 1,112,705 users
-
#2
hotmail.com 168,004 users
-
#3
yahoo.com 44,546 users
-
#4
outlook.com 36,959 users
-
#5
icloud.com 6,261 users
-
#6
-
#7
msn.com 3,387 users
-
#8
yahoo.fr 3,123 users
-
#9
mail.ru 2,583 users
-
#10
hotmail.fr 2,366 users
-
#11
hotmail.es 2,300 users
-
#12
yahoo.com.ar 2,197 users
-
#13
sfr.fr 1,370 users
-
#14
hotmail.com.ar 1,311 users
-
#15
yahoo.com.br 1,259 users
-
#16
protonmail.com 1,217 users
-
#17
ymail.com 1,209 users
-
#18
web.de 1,157 users
-
#19
yahoo.co.id 1,142 users
-
#20
libero.it 1,028 users
-
#21
mail.com 1,001 users
-
#22
yahoo.com.mx 928 users
-
#23
hotmail.it 902 users
-
#24
yahoo.de 868 users
-
#25
hanmail.net 726 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 RedLine 23,185machines
- #2 Generic Stealer 12,667machines
- #3 Lumma 10,580machines
Anti-virus Coverage
- #1 Windows Defender 21,465machines
- #2 360 Total Security 1,016machines
- #3 Avast Antivirus 773machines
- #4 Reason Cybersecurity 710machines
- #5 McAfee Firewall 323machines
- #6 McAfee VirusScan 272machines
- #7 McAfee 248machines
- #8 ESET Security 237machines
- #9 Kaspersky 161machines
- #10 Kaspersky Internet Security 149machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 114,102hits
- #2 sso 29,449hits
- #3 zoom 10,689hits
- #4 github 5,180hits
- #5 webmail 4,285hits
- #6 adfs 3,342hits
- #7 sap 2,293hits
- #8 owa 1,986hits
- #9 oracle 1,868hits
- #10 zendesk 1,580hits
- #11 ping 1,281hits
- #12 vpn 1,234hits
- #13 kaspersky 1,091hits
- #14 imap 1,074hits
- #15 cpanel 1,056hits
- #16 sts 858hits
- #17 webex 801hits
- #18 extranet 735hits
- #19 ftp 697hits
- #20 roundcube 675hits
- #21 st 597hits
- #22 okta 479hits
- #23 twilio 236hits
- #24 git 216hits
- #25 salesforce 210hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.