Weekly intelligence Sep 30 – Oct 7, 2024 12 min read

Infostealers Weekly Report: 2024-09-30 – 2024-10-07

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 6,651 Compromised Machines

#2 1,439 Compromised Employees

#3 1,893 Compromised Users

#4 3,319 Compromised Androids

#5 83,311 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 159

Infections by country

Top 25 countries

#1 India 489
#2 Brazil 374
#3 Pakistan 298
#4 Egypt 276
#5 Indonesia 276
#6 Vietnam 275
#7 Thailand 187
#8 Philippines 187
#9 Turkey 185
#10 Argentina 144
#11 Mexico 142
#12 Bangladesh 125
#13 Colombia 117
#14 Algeria 117
#15 Morocco 112
#16 Peru 112
#17 Nigeria 94
#18 Venezuela 87
#19 South Korea 81
#20 South Africa 72
#21 Chile 69
#22 Kenya 57
#23 Spain 56
#24 Iraq 55
#25 Saudi Arabia 46

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 4,459 users
#2 facebook.com 3,830 users
#3 live.com 3,344 users
#4 instagram.com 1,811 users
#5 com.facebook.katana 1,743 users
#6 netflix.com 1,600 users
#7 discord.com 1,557 users
#8 amazon.com 1,309 users
#9 twitter.com 1,196 users
#10 roblox.com 1,187 users
#11 com.instagram.android 1,177 users
#12 steampowered.com 1,155 users
#13 com.netflix.mediaclient 1,131 users
#14 microsoftonline.com 1,112 users
#15 192.168.1.1 1,110 users
#16 paypal.com 1,082 users
#17 apple.com 1,024 users
#18 linkedin.com 1,013 users
#19 mega.nz 1,006 users
#20 spotify.com 874 users
#21 yahoo.com 824 users
#22 zoom.us 773 users
#23 192.168.0.1 732 users
#24 epicgames.com 729 users
#25 twitch.tv 681 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 hostinger.com 30 employees
#2 icicibank.com 25 employees
#3 qq.com 22 employees
#4 naver.com 19 employees
#5 wp.pl 19 employees
#6 rediff.com 19 employees
#7 aruba.it 14 employees
#8 alxswe.com 13 employees
#9 watchit.com 11 employees
#10 unionbankonline.co.in 11 employees
#11 tim.it 11 employees
#12 atlassian.com 11 employees
#13 iastate.edu 10 employees
#14 zuel.edu.cn 10 employees
#15 gzife.edu.cn 10 employees
#16 sina.com.cn 10 employees
#17 abv.bg 9 employees
#18 ovh.net 9 employees
#19 buenosaires.gob.ar 9 employees
#20 skole.hr 8 employees
#21 butterflystore.local 8 employees
#22 indusind.com 8 employees
#23 deped.gov.ph 8 employees
#24 rockwellautomation.com 7 employees
#25 banquemisr.com 7 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 rockwellautomation.com 7 employees
#2 microsoft.com 5 employees
#3 cbre.com 4 employees
#4 jacobs.com 3 employees
#5 cognizant.com 2 employees
#6 apple.com 1 employees
#7 newmont.com 1 employees
#8 verizon.com 1 employees

Compromised users

#1 google.com 4,459 users
#2 facebook.com 3,830 users
#3 netflix.com 1,600 users
#4 amazon.com 1,309 users
#5 paypal.com 1,082 users
#6 apple.com 1,024 users
#7 ebay.com 219 users
#8 hp.com 171 users
#9 oracle.com 151 users
#10 microsoft.com 140 users
#11 nike.com 125 users
#12 cisco.com 110 users
#13 ibm.com 75 users
#14 westernunion.com 49 users
#15 salesforce.com 39 users
#16 walmart.com 39 users
#17 ups.com 34 users
#18 intel.com 31 users
#19 bankofamerica.com 17 users
#20 costco.com 15 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

1,743 users

Instagram

instagram.com · com.instagram.android

1,177 users

Netflix

netflix.com · com.netflix.mediaclient

1,131 users

Roblox

roblox.com · com.roblox.client

674 users

Discord

discord.com · com.discord

643 users

Spotify

spotify.com · com.spotify.music

602 users

Twitter

twitter.com · com.twitter.android

558 users

Twitch

app.com · tv.twitch.android.app

513 users

Snapchat

snapchat.com · com.snapchat.android

508 users

#10

PayPal

paypal.com · com.paypal.android.p2pmobile

330 users

#11

Mega

app.com · mega.privacy.android.app

300 users

#12

Zoom

videomeetings.com · us.zoom.videomeetings

295 users

#13

pinterest.com · com.pinterest

291 users

#14

Wish

contextlogic.com · com.contextlogic.wish

280 users

#15

linkedin.com · com.linkedin.android

280 users

#16

Disney

disney.com · com.disney.disneyplus

236 users

#17

Xiaomi

xiaomi.com · com.xiaomi.account

227 users

#18

Mercadolibre

mercadolibre.com · com.mercadolibre

215 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

194 users

#20

Waze

waze.com · com.waze

161 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 172,047 users
#2 hotmail.com 19,535 users
#3 yahoo.com 7,079 users
#4 outlook.com 3,984 users
#5 icloud.com 1,116 users
#6 live.com 953 users
#7 msn.com 868 users
#8 hotmail.es 588 users
#9 yahoo.fr 583 users
#10 laposte.net 569 users
#11 hotmail.co.uk 522 users
#12 ya.ru 406 users
#13 yahoo.co.in 373 users
#14 mail.ru 365 users
#15 hanmail.net 319 users
#16 yahoo.com.br 286 users
#17 rocketmail.com 281 users
#18 free.fr 245 users
#19 yahoo.com.ar 218 users
#20 hotmail.fr 194 users
#21 yahoo.co.id 194 users
#22 me.com 193 users
#23 hotmail.be 191 users
#24 yandex.com 187 users
#25 mail.com 177 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 StealC 3,277machines
#2 RedLine 1,800machines
#3 Lumma 1,482machines
#4 Generic Stealer 92machines

Anti-virus Coverage

#1 Windows Defender 2,731machines
#2 Reason Cybersecurity 265machines
#3 Windows Defender [ON] 154machines
#4 Avast Antivirus 100machines
#5 360 Total Security 59machines
#6 None 57machines
#7 McAfee 32machines
#8 Kaspersky 22machines
#9 Kaspersky Internet Security 18machines
#10 ESET Security 17machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 17,122hits
#2 sso 4,456hits
#3 zoom 1,691hits
#4 github 976hits
#5 webmail 793hits
#6 adfs 467hits
#7 sap 423hits
#8 oracle 384hits
#9 owa 307hits
#10 zendesk 277hits
#11 cpanel 227hits
#12 vpn 193hits
#13 kaspersky 191hits
#14 ftp 177hits
#15 ping 163hits
#16 sts 148hits
#17 st 114hits
#18 webex 94hits
#19 roundcube 86hits
#20 imap 75hits
#21 salesforce 71hits
#22 okta 65hits
#23 extranet 64hits
#24 twilio 43hits
#25 gitlab 34hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

25K machines
2K users
319K domains

View report →

May 4 → May 11, 2026 12 min

Infostealers Weekly Report: 2026-05-04 – 2026-05-11

16K machines
4K users
200K domains

View report →

Infostealers Weekly Report: 2024-09-30 – 2024-10-07

Where infections came from

Where users had active sessions

Employees caught in the logs