Infostealers Weekly Report: 2025-09-15 – 2025-09-22
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 1,020
- #2 United States of America 899
- #3 Indonesia 818
- #4 Brazil 617
- #5 Mexico 435
- #6 Vietnam 410
- #7 Philippines 382
- #8 Colombia 359
- #9 Egypt 339
- #10 Pakistan 318
- #11 Argentina 310
- #12 Turkey 274
- #13 Germany 240
- #14 Bangladesh 231
- #15 France 216
- #16 Peru 206
- #17 Malaysia 195
- #18 Morocco 178
- #19 Spain 161
- #20 Thailand 158
- #21 United Kingdom 148
- #22 Iran 144
- #23 Italy 142
- #24 Chile 141
- #25 Poland 126
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 11,691 users
-
#2
facebook.com 9,182 users
-
#3
live.com 9,015 users
-
#4
discord.com 6,980 users
-
#5
roblox.com 6,584 users
-
#6
instagram.com 6,543 users
-
#7
netflix.com 5,247 users
-
#8
com.facebook.katana 4,905 users
-
#9
steampowered.com 4,655 users
-
#10
amazon.com 4,491 users
-
#11
com.instagram.android 4,081 users
-
#12
paypal.com 3,920 users
-
#13
twitch.tv 3,827 users
-
#14
com.roblox.client 3,638 users
-
#15
epicgames.com 3,504 users
-
#16
twitter.com 3,428 users
-
#17
com.netflix.mediaclient 3,422 users
-
#18
riotgames.com 3,301 users
-
#19
spotify.com 3,280 users
-
#20
apple.com 3,209 users
-
#21
microsoftonline.com 3,133 users
-
#22
com.discord 3,102 users
-
#23
steamcommunity.com 2,871 users
-
#24
github.com 2,662 users
-
#25
openai.com 2,539 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
firstmail.ltd 150 employees
-
#2
hostinger.com 136 employees
-
#3
icicibank.com 79 employees
-
#4
rediff.com 50 employees
-
#5
binus.ac.id 48 employees
-
#6
niagahoster.com 47 employees
-
#7
jakartareportase.com 43 employees
-
#8
idnews.co.id 42 employees
-
#9
dapurbundapertiwi.com 42 employees
-
#10
ptmitrasiaga.com 42 employees
-
#11
santander.com.br 38 employees
-
#12
wp.pl 37 employees
-
#13
163.com 33 employees
-
#14
aruba.it 32 employees
-
#15
mail.tm 30 employees
-
#16
bobibanking.com 29 employees
-
#17
buenosaires.gob.ar 29 employees
-
#18
web-hosting.com 28 employees
-
#19
zsthost.com 28 employees
-
#20
secop.gov.co 27 employees
-
#21
qq.com 26 employees
-
#22
secureserver.net 25 employees
-
#23
watchit.com 24 employees
-
#24
skole.hr 23 employees
-
#25
indusind.com 22 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
rockwellautomation.com 8 employees
-
#2
microsoft.com 8 employees
-
#3
-
#4
cognizant.com 5 employees
-
#5
publix.com 4 employees
-
#6
ups.com 3 employees
-
#7
att.com 2 employees
-
#8
cbre.com 2 employees
-
#9
ryder.com 2 employees
-
#10
ibm.com 2 employees
-
#11
-
#12
hertz.com 1 employees
-
#13
ford.com 1 employees
-
#14
pg.com 1 employees
-
#15
oracle.com 1 employees
-
#16
cisco.com 1 employees
-
#17
cablevision.com 1 employees
-
#18
bakerhughes.com 1 employees
-
#19
abbott.com 1 employees
-
#20
xerox.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 714 users
-
#8
-
#9
hp.com 556 users
-
#10
nike.com 531 users
-
#11
-
#12
walmart.com 391 users
-
#13
-
#14
-
#15
-
#16
fedex.com 185 users
-
#17
bestbuy.com 171 users
-
#18
capitalone.com 170 users
-
#19
adp.com 159 users
-
#20
westernunion.com 153 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,905 users
4,081 users
Roblox
3,638 users
Netflix
3,422 users
Discord
3,102 users
Twitch
2,089 users
Spotify
2,053 users
1,699 users
1,694 users
Snapchat
1,680 users
PayPal
1,135 users
Wish
859 users
Mega
792 users
Zoom
787 users
Disney
743 users
659 users
Xiaomi
656 users
Mercadolibre
412 users
Waze
390 users
Alibaba
385 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 707,388 users
-
#2
hotmail.com 54,745 users
-
#3
yahoo.com 29,649 users
-
#4
outlook.com 18,488 users
-
#5
icloud.com 6,574 users
-
#6
-
#7
yahoo.com.br 3,038 users
-
#8
ntlworld.com 1,864 users
-
#9
yahoo.fr 1,667 users
-
#10
hotmail.fr 1,666 users
-
#11
aol.com 1,618 users
-
#12
comcast.net 1,396 users
-
#13
web.de 1,378 users
-
#14
mail.ru 1,318 users
-
#15
hotmail.co.uk 1,150 users
-
#16
ymail.com 1,083 users
-
#17
googlemail.com 880 users
-
#18
libero.it 866 users
-
#19
hotmail.it 778 users
-
#20
hotmail.es 740 users
-
#21
mail.com 723 users
-
#22
yahoo.co.id 707 users
-
#23
gmx.de 635 users
-
#24
msn.com 629 users
-
#25
proton.me 626 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 11,552machines
- #2 Lumma 4,056machines
- #3 Acreed 1,184machines
Anti-virus Coverage
- #1 Windows Defender 1,933machines
- #2 Windows Defender. 472machines
- #3 Windows Defender [ON] 213machines
- #4 None 162machines
- #5 Reason Cybersecurity 98machines
- #6 Windows Defender, McAfee. 65machines
- #7 Windows Defender, Avast Antivirus. 54machines
- #8 38machines
- #9 N/A 31machines
- #10 McAfee 26machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 79,511hits
- #2 sso 20,172hits
- #3 zoom 5,331hits
- #4 github 5,042hits
- #5 webmail 2,913hits
- #6 adfs 1,669hits
- #7 oracle 1,204hits
- #8 zendesk 1,117hits
- #9 ping 1,034hits
- #10 sap 1,001hits
- #11 vpn 956hits
- #12 owa 758hits
- #13 cpanel 580hits
- #14 sts 572hits
- #15 zimbra 499hits
- #16 kaspersky 411hits
- #17 st 407hits
- #18 salesforce 368hits
- #19 okta 367hits
- #20 webex 354hits
- #21 roundcube 335hits
- #22 ftp 315hits
- #23 imap 296hits
- #24 extranet 282hits
- #25 twilio 271hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.