Infostealers Weekly Report: 2025-11-03 – 2025-11-10
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 2,113
- #2 Egypt 290
- #3 United States of America 271
- #4 Philippines 267
- #5 Mexico 221
- #6 Brazil 205
- #7 Bangladesh 204
- #8 Indonesia 197
- #9 Vietnam 187
- #10 Pakistan 159
- #11 France 141
- #12 Colombia 117
- #13 Peru 95
- #14 Argentina 91
- #15 Italy 84
- #16 Taiwan 72
- #17 Germany 71
- #18 Japan 69
- #19 South Korea 67
- #20 Unknown Region 67
- #21 Spain 67
- #22 Algeria 63
- #23 Sri Lanka 59
- #24 Morocco 57
- #25 Thailand 57
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 7,364 users
-
#2
facebook.com 6,212 users
-
#3
live.com 5,066 users
-
#4
instagram.com 4,081 users
-
#5
com.facebook.katana 3,322 users
-
#6
netflix.com 3,012 users
-
#7
com.instagram.android 2,745 users
-
#8
amazon.com 2,577 users
-
#9
discord.com 2,491 users
-
#10
microsoftonline.com 2,160 users
-
#11
com.netflix.mediaclient 1,981 users
-
#12
paypal.com 1,842 users
-
#13
roblox.com 1,841 users
-
#14
linkedin.com 1,823 users
-
#15
openai.com 1,777 users
-
#16
twitter.com 1,691 users
-
#17
steampowered.com 1,580 users
-
#18
apple.com 1,494 users
-
#19
spotify.com 1,473 users
-
#20
amazon.in 1,311 users
-
#21
zoom.us 1,309 users
-
#22
com.discord 1,303 users
-
#23
github.com 1,273 users
-
#24
com.snapchat.android 1,229 users
-
#25
twitch.tv 1,194 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 104 employees
-
#2
icicibank.com 73 employees
-
#3
rediff.com 70 employees
-
#4
firstmail.ltd 38 employees
-
#5
icai.org 38 employees
-
#6
aruba.it 36 employees
-
#7
bobibanking.com 29 employees
-
#8
ovh.net 28 employees
-
#9
njoyn.com 26 employees
-
#10
secop.gov.co 21 employees
-
#11
naver.com 19 employees
-
#12
wp.pl 18 employees
-
#13
netpnb.com 17 employees
-
#14
pec.it 17 employees
-
#15
secureserver.net 16 employees
-
#16
rediffmailpro.com 16 employees
-
#17
ovhcloud.com 16 employees
-
#18
qq.com 16 employees
-
#19
unionbankonline.co.in 15 employees
-
#20
accenture.com 15 employees
-
#21
indusind.com 14 employees
-
#22
watchit.com 14 employees
-
#23
deped.gov.ph 14 employees
-
#24
fednetbank.com 14 employees
-
#25
163.com 14 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
rockwellautomation.com 10 employees
-
#2
microsoft.com 5 employees
-
#3
salesforce.com 4 employees
-
#4
hp.com 4 employees
-
#5
intel.com 4 employees
-
#6
verizon.com 3 employees
-
#7
ibm.com 2 employees
-
#8
micron.com 2 employees
-
#9
jpmorganchase.com 2 employees
-
#10
-
#11
morganstanley.com 2 employees
-
#12
westrock.com 2 employees
-
#13
fisglobal.com 2 employees
-
#14
publix.com 2 employees
-
#15
owenscorning.com 1 employees
-
#16
-
#17
cognizant.com 1 employees
-
#18
-
#19
ford.com 1 employees
-
#20
jacobs.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
-
#8
oracle.com 334 users
-
#9
ebay.com 318 users
-
#10
-
#11
nike.com 251 users
-
#12
cisco.com 190 users
-
#13
-
#14
ups.com 136 users
-
#15
walmart.com 109 users
-
#16
westernunion.com 91 users
-
#17
-
#18
fedex.com 77 users
-
#19
americanexpress.com 69 users
-
#20
broadcom.com 66 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
3,322 users
2,745 users
Netflix
1,981 users
Discord
1,303 users
Snapchat
1,229 users
Roblox
1,168 users
Spotify
1,142 users
917 users
Twitch
725 users
Zoom
654 users
647 users
569 users
PayPal
487 users
Xiaomi
414 users
Mega
363 users
Disney
353 users
Wish
349 users
Waze
213 users
Mercadolibre
210 users
Alibaba
176 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 377,582 users
-
#2
hotmail.com 26,034 users
-
#3
yahoo.com 13,835 users
-
#4
outlook.com 8,473 users
-
#5
mail.com 2,440 users
-
#6
icloud.com 2,414 users
-
#7
-
#8
hotmail.fr 1,302 users
-
#9
yahoo.fr 1,271 users
-
#10
yahoo.co.jp 1,240 users
-
#11
orange.fr 1,235 users
-
#12
proton.me 1,143 users
-
#13
sky.com 1,058 users
-
#14
aol.com 895 users
-
#15
mail.ru 889 users
-
#16
yahoo.com.br 831 users
-
#17
ymail.com 829 users
-
#18
libero.it 805 users
-
#19
live.fr 651 users
-
#20
wanadoo.fr 601 users
-
#21
hotmail.it 518 users
-
#22
msn.com 512 users
-
#23
web.de 488 users
-
#24
rambler.ru 433 users
-
#25
hotmail.es 379 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 7,762machines
- #2 Vidar 2,277machines
- #3 Lumma 707machines
- #4 Acreed 24machines
Anti-virus Coverage
- #1 Windows Defender 3,873machines
- #2 Windows Defender. 288machines
- #3 Windows Defender, Avast Antivirus. 35machines
- #4 Windows Defender, McAfee 26machines
- #5 Windows Defender, McAfee. 23machines
- #6 McAfee, Windows Defender 21machines
- #7 Windows Defender, McAfee VirusScan 14machines
- #8 McAfee VirusScan, Windows Defender 14machines
- #9 Windows Defender, ESET Security. 10machines
- #10 Windows Defender, VirusScan de McAfee . 9machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 43,401hits
- #2 sso 11,336hits
- #3 zoom 3,548hits
- #4 github 2,462hits
- #5 webmail 1,331hits
- #6 adfs 1,090hits
- #7 sap 770hits
- #8 oracle 752hits
- #9 zendesk 531hits
- #10 ping 489hits
- #11 owa 449hits
- #12 salesforce 340hits
- #13 sts 318hits
- #14 vpn 315hits
- #15 cpanel 301hits
- #16 extranet 285hits
- #17 webex 212hits
- #18 okta 198hits
- #19 roundcube 175hits
- #20 kaspersky 171hits
- #21 st 157hits
- #22 ftp 125hits
- #23 twilio 124hits
- #24 imap 86hits
- #25 gitlab 61hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.