Weekly intelligence Feb 10 – Feb 17, 2025 11 min read

Infostealers Weekly Report: 2025-02-10 – 2025-02-17

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 3,637 Compromised Machines

#2 755 Compromised Employees

#3 1,003 Compromised Users

#4 1,879 Compromised Androids

#5 51,037 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 118

Infections by country

Top 25 countries

#1 India 228
#2 United States of America 218
#3 Indonesia 177
#4 Brazil 164
#5 Vietnam 139
#6 Argentina 97
#7 Pakistan 79
#8 Philippines 59
#9 Bangladesh 52
#10 Turkey 50
#11 Egypt 49
#12 Thailand 41
#13 South Africa 38
#14 Morocco 29
#15 Mexico 28
#16 South Korea 26
#17 Serbia 25
#18 Algeria 23
#19 Romania 22
#20 Portugal 19
#21 United Arab Emirates 18
#22 Malaysia 18
#23 Kenya 18
#24 Colombia 15
#25 Sri Lanka 14

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 2,410 users
#2 facebook.com 1,947 users
#3 live.com 1,718 users
#4 instagram.com 1,054 users
#5 com.facebook.katana 1,029 users
#6 netflix.com 877 users
#7 discord.com 843 users
#8 amazon.com 802 users
#9 com.instagram.android 730 users
#10 roblox.com 668 users
#11 com.netflix.mediaclient 619 users
#12 apple.com 612 users
#13 paypal.com 581 users
#14 steampowered.com 563 users
#15 twitter.com 563 users
#16 192.168.1.1 531 users
#17 microsoftonline.com 528 users
#18 mega.nz 496 users
#19 linkedin.com 486 users
#20 yahoo.com 461 users
#21 spotify.com 441 users
#22 epicgames.com 428 users
#23 com.roblox.client 426 users
#24 twitch.tv 403 users
#25 com.discord 386 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 icicibank.com 25 employees
#2 rediff.com 20 employees
#3 hostinger.com 18 employees
#4 firstmail.ltd 11 employees
#5 kemenag.go.id 11 employees
#6 buenosaires.gob.ar 10 employees
#7 sts.net.pk 9 employees
#8 qq.com 8 employees
#9 mail.go.id 7 employees
#10 sapo.pt 7 employees
#11 netpnb.com 7 employees
#12 web-hosting.com 6 employees
#13 163.com 6 employees
#14 bobibanking.com 6 employees
#15 icai.org 6 employees
#16 jwpub.org 6 employees
#17 e-ujian.com 6 employees
#18 halobakat.com 6 employees
#19 cashio.co.za 5 employees
#20 wp.pl 5 employees
#21 rwth-aachen.de 5 employees
#22 seznam.cz 5 employees
#23 edunetmail.com 5 employees
#24 mail.tm 5 employees
#25 telecom.pt 5 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 twc.com 2 employees
#2 paypal.com 1 employees
#3 cbre.com 1 employees
#4 microsoft.com 1 employees
#5 citigroup.com 1 employees
#6 netflix.com 1 employees
#7 disney.com 1 employees

Compromised users

#1 google.com 2,410 users
#2 facebook.com 1,947 users
#3 netflix.com 877 users
#4 amazon.com 802 users
#5 apple.com 612 users
#6 paypal.com 581 users
#7 ebay.com 152 users
#8 oracle.com 81 users
#9 hp.com 81 users
#10 walmart.com 63 users
#11 nike.com 58 users
#12 microsoft.com 55 users
#13 cisco.com 41 users
#14 ibm.com 38 users
#15 fedex.com 37 users
#16 ups.com 32 users
#17 adp.com 28 users
#18 bestbuy.com 26 users
#19 target.com 24 users
#20 westernunion.com 23 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

1,029 users

Instagram

instagram.com · com.instagram.android

730 users

Netflix

netflix.com · com.netflix.mediaclient

619 users

Roblox

roblox.com · com.roblox.client

426 users

Discord

discord.com · com.discord

386 users

pinterest.com · com.pinterest

364 users

Spotify

spotify.com · com.spotify.music

353 users

Snapchat

snapchat.com · com.snapchat.android

303 users

Twitch

app.com · tv.twitch.android.app

273 users

#10

Twitter

twitter.com · com.twitter.android

266 users

#11

Wish

contextlogic.com · com.contextlogic.wish

194 users

#12

PayPal

paypal.com · com.paypal.android.p2pmobile

175 users

#13

Zoom

videomeetings.com · us.zoom.videomeetings

174 users

#14

Mega

app.com · mega.privacy.android.app

147 users

#15

Disney

disney.com · com.disney.disneyplus

128 users

#16

linkedin.com · com.linkedin.android

127 users

#17

Xiaomi

xiaomi.com · com.xiaomi.account

126 users

#18

Mercadolibre

mercadolibre.com · com.mercadolibre

120 users

#19

Waze

waze.com · com.waze

86 users

#20

Alibaba

alibaba.com · com.alibaba.aliexpresshd

76 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 106,683 users
#2 hotmail.com 8,375 users
#3 yahoo.com 4,810 users
#4 outlook.com 2,444 users
#5 live.com 902 users
#6 icloud.com 696 users
#7 yahoo.com.br 634 users
#8 aol.com 543 users
#9 yahoo.co.id 308 users
#10 gmx.de 270 users
#11 yeah.net 231 users
#12 yahoo.fr 208 users
#13 web.de 203 users
#14 terra.com.br 132 users
#15 yahoo.co.in 120 users
#16 googlemail.com 117 users
#17 yahoo.co.uk 115 users
#18 mail.com 110 users
#19 ymail.com 107 users
#20 yahoo.com.sg 88 users
#21 email.com 86 users
#22 protonmail.com 82 users
#23 yahoo.com.ar 72 users
#24 hotmail.fr 65 users
#25 proton.me 65 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Lumma 1,819machines
#2 Generic Stealer 1,818machines

Anti-virus Coverage

#1 Windows Defender 1,240machines
#2 Disabled 222machines
#3 Windows Defender [ON] 207machines
#4 None 121machines
#5 Reason Cybersecurity 77machines
#6 Reason Cybersecurity [OFF] 7machines
#7 알약 6machines
#8 Malwarebytes [OFF] 6machines
#9 Quick Heal Total Security 5machines
#10 IObit Malware Fighter 3machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 10,988hits
#2 sso 3,114hits
#3 zoom 814hits
#4 github 537hits
#5 webmail 325hits
#6 adfs 223hits
#7 sap 196hits
#8 zendesk 194hits
#9 oracle 192hits
#10 vpn 109hits
#11 sts 104hits
#12 ping 101hits
#13 owa 100hits
#14 cpanel 86hits
#15 kaspersky 63hits
#16 okta 57hits
#17 st 57hits
#18 imap 48hits
#19 webex 44hits
#20 ftp 34hits
#21 extranet 33hits
#22 twilio 32hits
#23 roundcube 29hits
#24 salesforce 10hits
#25 jira 6hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

Jun 1 → Jun 8, 2026 13 min

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

16K machines
2K users
273K domains

View report →

May 25 → Jun 1, 2026 13 min

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

18K machines
4K users
259K domains

View report →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

Infostealers Weekly Report: 2025-02-10 – 2025-02-17

Where infections came from

Where users had active sessions

Employees caught in the logs