Infostealers Weekly Report: 2025-01-06 – 2025-01-13
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 387
- #2 Indonesia 281
- #3 Brazil 217
- #4 Vietnam 207
- #5 Philippines 130
- #6 Pakistan 117
- #7 Thailand 99
- #8 Egypt 88
- #9 Turkey 73
- #10 South Africa 66
- #11 Mexico 64
- #12 Bangladesh 63
- #13 Argentina 62
- #14 Algeria 51
- #15 Morocco 48
- #16 Colombia 47
- #17 Peru 47
- #18 Malaysia 35
- #19 Sri Lanka 34
- #20 Portugal 28
- #21 Chile 28
- #22 Ecuador 27
- #23 Nigeria 25
- #24 Romania 25
- #25 Nepal 24
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 3,814 users
-
#2
facebook.com 3,142 users
-
#3
live.com 2,642 users
-
#4
com.facebook.katana 1,604 users
-
#5
instagram.com 1,597 users
-
#6
discord.com 1,363 users
-
#7
netflix.com 1,323 users
-
#8
roblox.com 1,133 users
-
#9
com.instagram.android 1,114 users
-
#10
amazon.com 1,071 users
-
#11
com.netflix.mediaclient 971 users
-
#12
twitter.com 920 users
-
#13
steampowered.com 902 users
-
#14
apple.com 859 users
-
#15
microsoftonline.com 827 users
-
#16
spotify.com 757 users
-
#17
paypal.com 750 users
-
#18
192.168.1.1 712 users
-
#19
linkedin.com 699 users
-
#20
mega.nz 684 users
-
#21
com.roblox.client 657 users
-
#22
com.spotify.music 652 users
-
#23
com.discord 645 users
-
#24
com.pinterest 645 users
-
#25
t.me 624 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
icicibank.com 30 employees
-
#2
rediff.com 23 employees
-
#3
hostinger.com 20 employees
-
#4
mail.tm 14 employees
-
#5
deped.gov.ph 11 employees
-
#6
bobibanking.com 10 employees
-
#7
buenosaires.gob.ar 10 employees
-
#8
rockwellautomation.com 10 employees
-
#9
santander.com.br 10 employees
-
#10
web-hosting.com 10 employees
-
#11
algerietelecom.dz 9 employees
-
#12
kpu.go.id 9 employees
-
#13
wakanow.com 9 employees
-
#14
kemenag.go.id 9 employees
-
#15
bluehost.com 8 employees
-
#16
konsoleh.co.za 8 employees
-
#17
infomerics.com 8 employees
-
#18
mweb.co.za 8 employees
-
#19
hostgator.com.br 8 employees
-
#20
netpnb.com 7 employees
-
#21
atlassian.com 7 employees
-
#22
klikbca.com 7 employees
-
#23
secureserver.net 6 employees
-
#24
pertamina.com 6 employees
-
#25
adira.co.id 6 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
-
#2
cognizant.com 4 employees
-
#3
harman.com 2 employees
-
#4
microsoft.com 2 employees
-
#5
gm.com 1 employees
-
#6
xerox.com 1 employees
-
#7
qualcomm.com 1 employees
-
#8
ibm.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 147 users
-
#8
-
#9
oracle.com 92 users
-
#10
hp.com 89 users
-
#11
cisco.com 74 users
-
#12
nike.com 70 users
-
#13
-
#14
intel.com 38 users
-
#15
walmart.com 28 users
-
#16
ups.com 23 users
-
#17
westernunion.com 23 users
-
#18
fedex.com 18 users
-
#19
broadcom.com 14 users
-
#20
adp.com 13 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
1,604 users
1,114 users
Netflix
971 users
Roblox
657 users
Spotify
652 users
Discord
645 users
645 users
446 users
Snapchat
445 users
Twitch
393 users
Wish
293 users
PayPal
283 users
Zoom
250 users
Mega
234 users
183 users
Xiaomi
170 users
Mercadolibre
151 users
Disney
138 users
Alibaba
137 users
Waze
133 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 158,151 users
-
#2
hotmail.com 11,430 users
-
#3
yahoo.com 6,243 users
-
#4
outlook.com 3,353 users
-
#5
-
#6
icloud.com 777 users
-
#7
yahoo.com.br 483 users
-
#8
yahoo.co.id 367 users
-
#9
hotmail.fr 283 users
-
#10
ymail.com 283 users
-
#11
hotmail.com.br 257 users
-
#12
yahoo.co.in 235 users
-
#13
mail.com 199 users
-
#14
me.com 185 users
-
#15
yahoo.fr 176 users
-
#16
yahoo.com.ar 173 users
-
#17
msn.com 172 users
-
#18
aol.com 82 users
-
#19
protonmail.com 64 users
-
#20
proton.me 63 users
-
#21
email.com 63 users
-
#22
hanmail.net 61 users
-
#23
hotmail.com.ar 60 users
-
#24
yahoo.co.uk 54 users
-
#25
hotmail.es 48 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Lumma 4,011machines
- #2 Generic Stealer 1,504machines
- #3 StealC 225machines
Anti-virus Coverage
- #1 Windows Defender 2,750machines
- #2 Windows Defender [ON] 525machines
- #3 None 226machines
- #4 Reason Cybersecurity 91machines
- #5 Quick Heal Total Security 16machines
- #6 Reason Cybersecurity [OFF] 11machines
- #7 Malwarebytes [OFF] 10machines
- #8 ESET Security 10machines
- #9 Avast Antivirus 8machines
- #10 360 Total Security 7machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 15,196hits
- #2 sso 3,973hits
- #3 zoom 1,351hits
- #4 github 855hits
- #5 webmail 578hits
- #6 adfs 339hits
- #7 owa 315hits
- #8 sap 244hits
- #9 zendesk 236hits
- #10 vpn 201hits
- #11 imap 183hits
- #12 oracle 177hits
- #13 cpanel 145hits
- #14 ping 139hits
- #15 sts 110hits
- #16 okta 106hits
- #17 kaspersky 85hits
- #18 roundcube 73hits
- #19 st 72hits
- #20 twilio 63hits
- #21 extranet 61hits
- #22 webex 49hits
- #23 ftp 43hits
- #24 gitlab 30hits
- #25 salesforce 21hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.