Weekly intelligence Dec 30 – Jan 6, 2025 11 min read

Infostealers Weekly Report: 2024-12-30 – 2025-01-06

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 4,596 Compromised Machines

#2 897 Compromised Employees

#3 1,186 Compromised Users

#4 2,513 Compromised Androids

#5 56,717 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 130

Infections by country

Top 25 countries

#1 India 346
#2 Brazil 266
#3 Vietnam 253
#4 Indonesia 238
#5 Philippines 100
#6 Pakistan 85
#7 Argentina 78
#8 Turkey 66
#9 Bangladesh 62
#10 United States of America 54
#11 Egypt 53
#12 South Africa 52
#13 Thailand 51
#14 Romania 50
#15 Mexico 35
#16 Portugal 35
#17 Morocco 35
#18 Colombia 34
#19 Chile 33
#20 Sri Lanka 30
#21 Algeria 30
#22 Czechia 29
#23 Malaysia 29
#24 Nepal 29
#25 Kenya 24

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 3,026 users
#2 facebook.com 2,619 users
#3 live.com 2,215 users
#4 instagram.com 1,433 users
#5 com.facebook.katana 1,378 users
#6 discord.com 1,279 users
#7 netflix.com 1,159 users
#8 roblox.com 1,096 users
#9 com.instagram.android 947 users
#10 amazon.com 934 users
#11 steampowered.com 933 users
#12 com.netflix.mediaclient 880 users
#13 twitter.com 807 users
#14 paypal.com 780 users
#15 apple.com 678 users
#16 microsoftonline.com 648 users
#17 linkedin.com 644 users
#18 spotify.com 640 users
#19 com.roblox.client 621 users
#20 riotgames.com 608 users
#21 mega.nz 591 users
#22 com.discord 587 users
#23 epicgames.com 574 users
#24 192.168.1.1 562 users
#25 twitch.tv 540 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 icicibank.com 35 employees
#2 rediff.com 18 employees
#3 kemenag.go.id 14 employees
#4 hostinger.com 14 employees
#5 hostgator.com.br 13 employees
#6 sempreser.com.br 11 employees
#7 unionbankonline.co.in 11 employees
#8 sky.com.br 10 employees
#9 petrobras.com.br 10 employees
#10 bcb.gov.br 9 employees
#11 santander.com.br 8 employees
#12 infomerics.com 8 employees
#13 bobibanking.com 7 employees
#14 bis.edu.iq 7 employees
#15 jlchacha.com 7 employees
#16 bni.co.id 7 employees
#17 aladinbank.id 6 employees
#18 telecom.pt 6 employees
#19 workd.go.th 6 employees
#20 deped.gov.ph 6 employees
#21 rediffmailpro.com 6 employees
#22 ruloans.com 6 employees
#23 web-hosting.com 6 employees
#24 firstmail.ltd 6 employees
#25 woolworths.co.za 6 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 microsoft.com 5 employees
#2 netflix.com 3 employees
#3 honeywell.com 2 employees
#4 oracle.com 1 employees
#5 xerox.com 1 employees
#6 ge.com 1 employees
#7 rockwellautomation.com 1 employees
#8 harman.com 1 employees

Compromised users

#1 google.com 3,026 users
#2 facebook.com 2,619 users
#3 netflix.com 1,159 users
#4 amazon.com 934 users
#5 paypal.com 780 users
#6 apple.com 678 users
#7 ebay.com 138 users
#8 microsoft.com 130 users
#9 oracle.com 108 users
#10 hp.com 85 users
#11 nike.com 84 users
#12 cisco.com 57 users
#13 ibm.com 37 users
#14 walmart.com 28 users
#15 fedex.com 27 users
#16 bestbuy.com 25 users
#17 salesforce.com 25 users
#18 westernunion.com 24 users
#19 ups.com 21 users
#20 adp.com 18 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

1,378 users

Instagram

instagram.com · com.instagram.android

947 users

Netflix

netflix.com · com.netflix.mediaclient

880 users

Roblox

roblox.com · com.roblox.client

621 users

Discord

discord.com · com.discord

587 users

Spotify

spotify.com · com.spotify.music

503 users

pinterest.com · com.pinterest

501 users

Twitter

twitter.com · com.twitter.android

374 users

Snapchat

snapchat.com · com.snapchat.android

361 users

#10

Twitch

app.com · tv.twitch.android.app

336 users

#11

Wish

contextlogic.com · com.contextlogic.wish

262 users

#12

PayPal

paypal.com · com.paypal.android.p2pmobile

249 users

#13

Zoom

videomeetings.com · us.zoom.videomeetings

210 users

#14

linkedin.com · com.linkedin.android

167 users

#15

Mega

app.com · mega.privacy.android.app

166 users

#16

Mercadolibre

mercadolibre.com · com.mercadolibre

158 users

#17

Disney

disney.com · com.disney.disneyplus

149 users

#18

Xiaomi

xiaomi.com · com.xiaomi.account

147 users

#19

Waze

waze.com · com.waze

127 users

#20

Alibaba

alibaba.com · com.alibaba.aliexpresshd

104 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 133,047 users
#2 hotmail.com 11,803 users
#3 yahoo.com 5,363 users
#4 outlook.com 4,322 users
#5 live.com 1,211 users
#6 yahoo.com.br 989 users
#7 icloud.com 793 users
#8 yahoo.co.uk 481 users
#9 yahoo.co.id 444 users
#10 yahoo.fr 303 users
#11 hotmail.com.br 252 users
#12 msn.com 231 users
#13 aol.com 179 users
#14 ymail.com 175 users
#15 mail.com 131 users
#16 yahoo.it 114 users
#17 yahoo.co.in 107 users
#18 yahoo.com.ar 102 users
#19 gmx.de 98 users
#20 proton.me 88 users
#21 yandex.com 65 users
#22 web.de 65 users
#23 protonmail.com 64 users
#24 facebook.com 61 users
#25 email.com 58 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Lumma 2,870machines
#2 Generic Stealer 1,662machines
#3 StealC 64machines

Anti-virus Coverage

#1 Windows Defender 2,035machines
#2 Windows Defender [ON] 339machines
#3 None 184machines
#4 Reason Cybersecurity 89machines
#5 Reason Cybersecurity [OFF] 12machines
#6 Avast Antivirus 10machines
#7 Quick Heal Total Security 9machines
#8 ESET Security 6machines
#9 360 Total Security 5machines
#10 Malwarebytes [OFF] 4machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 13,327hits
#2 sso 3,987hits
#3 zoom 990hits
#4 github 802hits
#5 webmail 397hits
#6 adfs 322hits
#7 sap 220hits
#8 oracle 218hits
#9 zendesk 190hits
#10 owa 170hits
#11 ping 153hits
#12 vpn 145hits
#13 sts 110hits
#14 imap 98hits
#15 cpanel 83hits
#16 salesforce 69hits
#17 kaspersky 55hits
#18 twilio 53hits
#19 webex 52hits
#20 st 51hits
#21 okta 49hits
#22 ftp 42hits
#23 zimbra 39hits
#24 roundcube 34hits
#25 extranet 34hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

Jun 1 → Jun 8, 2026 13 min

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

16K machines
2K users
273K domains

View report →

May 25 → Jun 1, 2026 13 min

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

18K machines
4K users
259K domains

View report →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

Infostealers Weekly Report: 2024-12-30 – 2025-01-06

Where infections came from

Where users had active sessions

Employees caught in the logs