Infostealers Weekly Report: 2025-11-17 – 2025-11-24
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 United States of America 272
- #2 India 208
- #3 Vietnam 143
- #4 Brazil 76
- #5 Unknown Region 62
- #6 Indonesia 58
- #7 Germany 53
- #8 China 52
- #9 Philippines 47
- #10 France 46
- #11 South Korea 42
- #12 United Kingdom 37
- #13 Egypt 35
- #14 Mexico 34
- #15 Spain 31
- #16 Pakistan 29
- #17 Bangladesh 29
- #18 Peru 28
- #19 Italy 25
- #20 Poland 24
- #21 Japan 24
- #22 Canada 23
- #23 Colombia 23
- #24 Argentina 22
- #25 Australia 22
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 1,248 users
-
#2
facebook.com 969 users
-
#3
live.com 955 users
-
#4
instagram.com 753 users
-
#5
netflix.com 641 users
-
#6
discord.com 610 users
-
#7
com.facebook.katana 569 users
-
#8
amazon.com 548 users
-
#9
apple.com 506 users
-
#10
microsoftonline.com 494 users
-
#11
com.instagram.android 473 users
-
#12
roblox.com 454 users
-
#13
paypal.com 443 users
-
#14
twitter.com 439 users
-
#15
steampowered.com 415 users
-
#16
com.netflix.mediaclient 403 users
-
#17
spotify.com 393 users
-
#18
linkedin.com 388 users
-
#19
openai.com 369 users
-
#20
twitch.tv 352 users
-
#21
github.com 323 users
-
#22
epicgames.com 322 users
-
#23
zoom.us 321 users
-
#24
riotgames.com 313 users
-
#25
com.discord 307 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 30 employees
-
#2
qq.com 24 employees
-
#3
163.com 23 employees
-
#4
aruba.it 18 employees
-
#5
fecredit.com.vn 17 employees
-
#6
icicibank.com 16 employees
-
#7
hvnh.edu.vn 15 employees
-
#8
firstmail.ltd 12 employees
-
#9
ibm.com 12 employees
-
#10
belajar.id 11 employees
-
#11
strato.com 11 employees
-
#12
maychuemail.com 11 employees
-
#13
inacap.cl 10 employees
-
#14
mercedes-benz.com 10 employees
-
#15
oabsp.org.br 10 employees
-
#16
marsaventis.com 10 employees
-
#17
svsu.edu 10 employees
-
#18
buenosaires.gob.ar 10 employees
-
#19
mti.edu.eg 10 employees
-
#20
publicisgroupe.net 10 employees
-
#21
jpmorganchase.com 10 employees
-
#22
guejae.edu.pe 10 employees
-
#23
syrahost.com 10 employees
-
#24
ucoebanking.in 10 employees
-
#25
trident.ac.in 10 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
-
#2
-
#3
microsoft.com 2 employees
-
#4
oreillyauto.com 1 employees
-
#5
kindredhealthcare.com 1 employees
-
#6
publix.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 137 users
-
#8
oracle.com 104 users
-
#9
-
#10
walmart.com 85 users
-
#11
hp.com 82 users
-
#12
nike.com 74 users
-
#13
ups.com 60 users
-
#14
-
#15
att.com 45 users
-
#16
broadcom.com 39 users
-
#17
cisco.com 36 users
-
#18
bestbuy.com 36 users
-
#19
westernunion.com 34 users
-
#20
adp.com 34 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
569 users
473 users
Netflix
403 users
Discord
307 users
Spotify
282 users
Roblox
281 users
235 users
Snapchat
227 users
216 users
Twitch
193 users
Zoom
146 users
PayPal
143 users
126 users
Disney
124 users
Mega
107 users
Xiaomi
103 users
Waze
93 users
Wish
90 users
Mercadolibre
75 users
Alibaba
47 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 141,682 users
-
#2
hotmail.com 12,894 users
-
#3
yahoo.com 12,150 users
-
#4
outlook.com 4,282 users
-
#5
-
#6
mail.ru 1,136 users
-
#7
live.be 700 users
-
#8
yahoo.co.jp 658 users
-
#9
icloud.com 642 users
-
#10
comcast.net 636 users
-
#11
msn.com 631 users
-
#12
yahoo.co.uk 510 users
-
#13
libero.it 452 users
-
#14
yahoo.com.br 450 users
-
#15
yandex.ru 448 users
-
#16
gmx.de 320 users
-
#17
telenet.be 250 users
-
#18
hotmail.it 248 users
-
#19
aol.com 218 users
-
#20
live.it 217 users
-
#21
rocketmail.com 213 users
-
#22
yahoo.fr 212 users
-
#23
hotmail.fr 177 users
-
#24
proton.me 148 users
-
#25
inbox.ru 140 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 1,495machines
- #2 Lumma 960machines
- #3 Vidar 33machines
Anti-virus Coverage
- #1 Windows Defender 478machines
- #2 Windows Defender. 40machines
- #3 N/A 4machines
- #4 ESET Security, Windows Defender, ESET Security. 3machines
- #5 McAfee, Windows Defender 3machines
- #6 Windows Defender, McAfee. 2machines
- #7 Windows Defender, Kaspersky Endpoint Security para Windows. 2machines
- #8 Windows Defender, Panda Dome 1machines
- #9 Windows Defender, AhnLab V3 Lite 1machines
- #10 Windows Defender, McAfee 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 18,660hits
- #2 sso 4,287hits
- #3 zoom 1,473hits
- #4 github 841hits
- #5 webmail 625hits
- #6 adfs 436hits
- #7 owa 246hits
- #8 oracle 242hits
- #9 ping 240hits
- #10 zendesk 204hits
- #11 sap 142hits
- #12 sts 130hits
- #13 vpn 128hits
- #14 salesforce 87hits
- #15 st 85hits
- #16 roundcube 84hits
- #17 okta 81hits
- #18 extranet 80hits
- #19 twilio 78hits
- #20 cpanel 75hits
- #21 imap 73hits
- #22 kaspersky 58hits
- #23 webex 52hits
- #24 ftp 34hits
- #25 gitlab 32hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-15 – 2026-06-22
- 16K machines
- 3K users
- 216K domains
Infostealers Weekly Report: 2026-06-08 – 2026-06-15
- 9K machines
- 2K users
- 125K domains
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.