Infostealers Weekly Report: 2025-08-04 – 2025-08-11
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 3,275
- #2 United States of America 2,108
- #3 Brazil 1,245
- #4 France 819
- #5 Indonesia 748
- #6 Bangladesh 715
- #7 Japan 691
- #8 Spain 602
- #9 Poland 595
- #10 Mexico 575
- #11 Nigeria 530
- #12 Pakistan 527
- #13 Philippines 487
- #14 Germany 425
- #15 Italy 423
- #16 Vietnam 419
- #17 Turkey 356
- #18 Colombia 347
- #19 South Korea 314
- #20 Argentina 303
- #21 Egypt 295
- #22 United Kingdom 291
- #23 Peru 222
- #24 Thailand 221
- #25 Canada 195
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 30,373 users
-
#2
facebook.com 22,626 users
-
#3
live.com 17,222 users
-
#4
instagram.com 13,282 users
-
#5
netflix.com 11,713 users
-
#6
discord.com 11,007 users
-
#7
com.facebook.katana 10,327 users
-
#8
microsoftonline.com 10,137 users
-
#9
roblox.com 9,706 users
-
#10
amazon.com 9,049 users
-
#11
apple.com 8,275 users
-
#12
paypal.com 7,655 users
-
#13
linkedin.com 7,441 users
-
#14
com.instagram.android 7,189 users
-
#15
twitter.com 7,055 users
-
#16
spotify.com 6,756 users
-
#17
zoom.us 6,752 users
-
#18
steampowered.com 6,450 users
-
#19
com.netflix.mediaclient 6,164 users
-
#20
twitch.tv 5,665 users
-
#21
mega.nz 5,234 users
-
#22
epicgames.com 5,164 users
-
#23
github.com 5,126 users
-
#24
openai.com 5,062 users
-
#25
com.roblox.client 5,042 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 319 employees
-
#2
firstmail.ltd 229 employees
-
#3
icicibank.com 218 employees
-
#4
aruba.it 132 employees
-
#5
wp.pl 102 employees
-
#6
unionbankonline.co.in 84 employees
-
#7
secureserver.net 79 employees
-
#8
163.com 78 employees
-
#9
onet.pl 77 employees
-
#10
office365.com 77 employees
-
#11
bobibanking.com 77 employees
-
#12
digimail.in 75 employees
-
#13
rediff.com 74 employees
-
#14
pec.it 69 employees
-
#15
bharatnet.internal 63 employees
-
#16
atlassian.com 63 employees
-
#17
qq.com 59 employees
-
#18
zsthost.com 59 employees
-
#19
naver.com 56 employees
-
#20
o2.pl 52 employees
-
#21
ovh.net 51 employees
-
#22
company.local 49 employees
-
#23
bluehost.com 46 employees
-
#24
hostgator.com.br 46 employees
-
#25
mail.tm 45 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 37 employees
-
#2
-
#3
fedex.com 10 employees
-
#4
oracle.com 10 employees
-
#5
rockwellautomation.com 9 employees
-
#6
-
#7
ibm.com 8 employees
-
#8
publix.com 7 employees
-
#9
verizon.com 7 employees
-
#10
pfizer.com 6 employees
-
#11
hp.com 5 employees
-
#12
abbott.com 4 employees
-
#13
cognizant.com 4 employees
-
#14
metlife.com 4 employees
-
#15
frontier.com 4 employees
-
#16
yum.com 3 employees
-
#17
-
#18
ford.com 3 employees
-
#19
visteon.com 3 employees
-
#20
marriott.com 3 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 1,362 users
-
#8
-
#9
-
#10
-
#11
salesforce.com 846 users
-
#12
nike.com 840 users
-
#13
walmart.com 653 users
-
#14
ups.com 476 users
-
#15
cisco.com 468 users
-
#16
-
#17
target.com 317 users
-
#18
bankofamerica.com 313 users
-
#19
-
#20
bestbuy.com 307 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
10,327 users
7,189 users
Netflix
6,164 users
Roblox
5,042 users
Discord
4,146 users
Spotify
3,628 users
Snapchat
3,345 users
3,016 users
Twitch
2,849 users
2,799 users
PayPal
1,822 users
Mega
1,547 users
Zoom
1,539 users
1,512 users
Wish
1,466 users
Disney
1,442 users
Xiaomi
1,301 users
Mercadolibre
916 users
Waze
851 users
Alibaba
813 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 1,290,320 users
-
#2
hotmail.com 92,436 users
-
#3
yahoo.com 52,903 users
-
#4
outlook.com 32,094 users
-
#5
icloud.com 14,273 users
-
#6
mail.ru 4,348 users
-
#7
yahoo.com.ar 4,136 users
-
#8
-
#9
hotmail.fr 3,426 users
-
#10
me.com 3,369 users
-
#11
aol.com 3,099 users
-
#12
gmx.de 3,099 users
-
#13
ymail.com 2,843 users
-
#14
mail.com 2,493 users
-
#15
web.de 2,151 users
-
#16
yahoo.com.br 1,868 users
-
#17
googlemail.com 1,695 users
-
#18
yahoo.fr 1,655 users
-
#19
hotmail.es 1,648 users
-
#20
comcast.net 1,625 users
-
#21
libero.it 1,611 users
-
#22
gmx.com 1,596 users
-
#23
hotmail.it 1,346 users
-
#24
yahoo.it 1,244 users
-
#25
orange.fr 1,205 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 33,555machines
- #2 Lumma 24,244machines
- #3 RedLine 2machines
Anti-virus Coverage
- #1 Windows Defender 18,860machines
- #2 None 1,985machines
- #3 Windows Defender [ON] 1,492machines
- #4 Reason Cybersecurity 508machines
- #5 Windows Defender. 167machines
- #6 McAfee, Windows Defender 91machines
- #7 Windows Defender, McAfee 84machines
- #8 McAfee 53machines
- #9 Windows Defender, Reason Cybersecurity 52machines
- #10 Avast Antivirus, Windows Defender 52machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 146,451hits
- #2 sso 35,543hits
- #3 zoom 12,216hits
- #4 github 8,489hits
- #5 vpn 6,501hits
- #6 webmail 5,968hits
- #7 adfs 3,261hits
- #8 oracle 2,127hits
- #9 zendesk 2,051hits
- #10 cpanel 1,636hits
- #11 jira 1,528hits
- #12 ping 1,523hits
- #13 salesforce 1,312hits
- #14 sap 1,267hits
- #15 owa 1,142hits
- #16 sts 988hits
- #17 roundcube 894hits
- #18 ftp 836hits
- #19 gitlab 817hits
- #20 extranet 803hits
- #21 okta 769hits
- #22 kaspersky 708hits
- #23 git 568hits
- #24 twilio 523hits
- #25 imap 452hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.