Infostealers Weekly Report: 2024-12-16 – 2024-12-23
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 Philippines 369
- #2 Vietnam 348
- #3 Brazil 324
- #4 Indonesia 280
- #5 India 274
- #6 Thailand 175
- #7 Turkey 125
- #8 Peru 124
- #9 Pakistan 123
- #10 Mexico 116
- #11 Malaysia 92
- #12 Egypt 89
- #13 South Africa 86
- #14 United States of America 82
- #15 Nigeria 68
- #16 Bangladesh 67
- #17 Colombia 63
- #18 Argentina 61
- #19 Morocco 59
- #20 Australia 54
- #21 South Korea 48
- #22 Poland 40
- #23 Algeria 38
- #24 Romania 37
- #25 Tunisia 36
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 3,468 users
-
#2
facebook.com 2,956 users
-
#3
live.com 2,680 users
-
#4
roblox.com 1,749 users
-
#5
discord.com 1,713 users
-
#6
com.facebook.katana 1,616 users
-
#7
instagram.com 1,610 users
-
#8
netflix.com 1,411 users
-
#9
com.netflix.mediaclient 1,079 users
-
#10
steampowered.com 1,057 users
-
#11
com.instagram.android 1,042 users
-
#12
amazon.com 1,009 users
-
#13
twitter.com 992 users
-
#14
com.roblox.client 990 users
-
#15
microsoftonline.com 920 users
-
#16
riotgames.com 882 users
-
#17
spotify.com 881 users
-
#18
twitch.tv 828 users
-
#19
paypal.com 821 users
-
#20
apple.com 801 users
-
#21
com.discord 783 users
-
#22
epicgames.com 751 users
-
#23
com.pinterest 746 users
-
#24
com.spotify.music 701 users
-
#25
steamcommunity.com 672 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 16 employees
-
#2
deped.gov.ph 16 employees
-
#3
rediff.com 11 employees
-
#4
icicibank.com 10 employees
-
#5
wp.pl 9 employees
-
#6
firstmail.ltd 9 employees
-
#7
det.nsw.edu.au 8 employees
-
#8
alxswe.com 8 employees
-
#9
naver.com 8 employees
-
#10
163.com 7 employees
-
#11
utp.edu.pe 7 employees
-
#12
britanico.edu.pe 7 employees
-
#13
hbtn.io 6 employees
-
#14
abv.bg 6 employees
-
#15
sempreser.com.br 6 employees
-
#16
qq.com 6 employees
-
#17
gdt.gov.vn 5 employees
-
#18
globo.com 5 employees
-
#19
buenosaires.gob.ar 5 employees
-
#20
mail.gov.in 5 employees
-
#21
aruba.it 5 employees
-
#22
mail.tm 5 employees
-
#23
laureate.net 5 employees
-
#24
titan.email 4 employees
-
#25
ionos.fr 4 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
hp.com 3 employees
-
#2
rockwellautomation.com 3 employees
-
#3
jnj.com 2 employees
-
#4
microsoft.com 2 employees
-
#5
gm.com 1 employees
-
#6
cognizant.com 1 employees
-
#7
-
#8
ibm.com 1 employees
-
#9
xerox.com 1 employees
-
#10
publix.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 143 users
-
#8
oracle.com 100 users
-
#9
-
#10
-
#11
nike.com 93 users
-
#12
cisco.com 72 users
-
#13
-
#14
walmart.com 35 users
-
#15
intel.com 28 users
-
#16
bestbuy.com 23 users
-
#17
ups.com 22 users
-
#18
westernunion.com 19 users
-
#19
broadcom.com 18 users
-
#20
adp.com 18 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
1,616 users
Netflix
1,079 users
1,042 users
Roblox
990 users
Discord
783 users
746 users
Spotify
701 users
Twitch
510 users
500 users
Snapchat
424 users
Wish
303 users
PayPal
286 users
Zoom
249 users
Mega
232 users
189 users
Xiaomi
173 users
Disney
160 users
Mercadolibre
137 users
Waze
116 users
Alibaba
116 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 140,267 users
-
#2
hotmail.com 12,897 users
-
#3
yahoo.com 6,413 users
-
#4
outlook.com 4,618 users
-
#5
icloud.com 1,091 users
-
#6
yahoo.com.br 542 users
-
#7
-
#8
msn.com 342 users
-
#9
aol.com 320 users
-
#10
yahoo.com.ar 283 users
-
#11
laposte.net 203 users
-
#12
mail.com 190 users
-
#13
ymail.com 184 users
-
#14
me.com 152 users
-
#15
yahoo.co.id 149 users
-
#16
yahoo.co.uk 148 users
-
#17
hotmail.es 147 users
-
#18
rocketmail.com 146 users
-
#19
yahoo.com.ph 129 users
-
#20
web.de 114 users
-
#21
mail.ru 111 users
-
#22
yandex.com 110 users
-
#23
yahoo.it 94 users
-
#24
yahoo.fr 94 users
-
#25
hotmail.fr 82 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Lumma 4,109machines
- #2 Generic Stealer 580machines
- #3 StealC 431machines
Anti-virus Coverage
- #1 Windows Defender 2,737machines
- #2 Windows Defender [ON] 480machines
- #3 Reason Cybersecurity 185machines
- #4 None 160machines
- #5 Reason Cybersecurity [OFF] 14machines
- #6 360 Total Security 10machines
- #7 Norton Security Ultra 9machines
- #8 ESET Security 9machines
- #9 Quick Heal Total Security 7machines
- #10 ESET NOD32 Antivirus 8.0 6machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 14,682hits
- #2 sso 3,801hits
- #3 zoom 1,292hits
- #4 github 792hits
- #5 webmail 338hits
- #6 adfs 334hits
- #7 zendesk 231hits
- #8 oracle 210hits
- #9 vpn 157hits
- #10 ping 151hits
- #11 owa 148hits
- #12 sap 119hits
- #13 sts 118hits
- #14 cpanel 103hits
- #15 kaspersky 69hits
- #16 extranet 64hits
- #17 webex 62hits
- #18 okta 58hits
- #19 roundcube 45hits
- #20 gitlab 43hits
- #21 imap 36hits
- #22 twilio 35hits
- #23 st 34hits
- #24 ftp 31hits
- #25 jira 29hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-08 – 2026-06-15
- 9K machines
- 2K users
- 125K domains
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.