Infostealers Weekly Report: 2025-12-22 – 2025-12-29
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 2,358
- #2 United States of America 1,188
- #3 Indonesia 1,055
- #4 Brazil 985
- #5 Philippines 823
- #6 France 502
- #7 Germany 489
- #8 Vietnam 431
- #9 United Kingdom 386
- #10 Bangladesh 296
- #11 Egypt 277
- #12 Turkey 275
- #13 Poland 265
- #14 Spain 255
- #15 Italy 246
- #16 Argentina 242
- #17 Colombia 223
- #18 Thailand 212
- #19 Mexico 188
- #20 Canada 186
- #21 Pakistan 183
- #22 Malaysia 177
- #23 Peru 166
- #24 Romania 164
- #25 Chile 143
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 11,372 users
-
#2
facebook.com 8,397 users
-
#3
live.com 8,260 users
-
#4
discord.com 6,343 users
-
#5
roblox.com 6,205 users
-
#6
instagram.com 6,182 users
-
#7
netflix.com 4,826 users
-
#8
com.facebook.katana 4,697 users
-
#9
steampowered.com 4,312 users
-
#10
com.instagram.android 4,155 users
-
#11
amazon.com 3,843 users
-
#12
com.roblox.client 3,609 users
-
#13
twitch.tv 3,445 users
-
#14
epicgames.com 3,259 users
-
#15
microsoftonline.com 3,241 users
-
#16
riotgames.com 3,213 users
-
#17
spotify.com 3,203 users
-
#18
com.netflix.mediaclient 3,178 users
-
#19
paypal.com 2,952 users
-
#20
com.discord 2,945 users
-
#21
steamcommunity.com 2,761 users
-
#22
twitter.com 2,748 users
-
#23
apple.com 2,598 users
-
#24
openai.com 2,441 users
-
#25
com.spotify.music 2,387 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
firstmail.ltd 91 employees
-
#2
hostinger.com 86 employees
-
#3
icicibank.com 73 employees
-
#4
wp.pl 51 employees
-
#5
rediff.com 46 employees
-
#6
aruba.it 38 employees
-
#7
icai.org 38 employees
-
#8
zsthost.com 26 employees
-
#9
mail.tm 24 employees
-
#10
netpnb.com 20 employees
-
#11
interia.pl 19 employees
-
#12
indusind.com 18 employees
-
#13
abv.bg 18 employees
-
#14
unionbankonline.co.in 18 employees
-
#15
deped.gov.ph 17 employees
-
#16
concentrix.com 17 employees
-
#17
163.com 17 employees
-
#18
bobibanking.com 17 employees
-
#19
secop.gov.co 16 employees
-
#20
det.nsw.edu.au 16 employees
-
#21
pnbibanking.in 16 employees
-
#22
rmunify.com 15 employees
-
#23
atlassian.com 14 employees
-
#24
spectrum.net 14 employees
-
#25
alxswe.com 14 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 14 employees
-
#2
ibm.com 9 employees
-
#3
hp.com 6 employees
-
#4
mutualofomaha.com 5 employees
-
#5
publix.com 4 employees
-
#6
-
#7
salesforce.com 3 employees
-
#8
-
#9
libertymutual.com 2 employees
-
#10
cognizant.com 2 employees
-
#11
raytheon.com 2 employees
-
#12
jpmorganchase.com 2 employees
-
#13
ups.com 2 employees
-
#14
rockwellautomation.com 2 employees
-
#15
disney.com 1 employees
-
#16
pg.com 1 employees
-
#17
verizon.com 1 employees
-
#18
sandisk.com 1 employees
-
#19
-
#20
newmont.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 459 users
-
#8
nike.com 458 users
-
#9
-
#10
oracle.com 433 users
-
#11
-
#12
walmart.com 275 users
-
#13
cisco.com 265 users
-
#14
-
#15
-
#16
adp.com 141 users
-
#17
fedex.com 118 users
-
#18
target.com 111 users
-
#19
bestbuy.com 109 users
-
#20
capitalone.com 101 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,697 users
4,155 users
Roblox
3,609 users
Netflix
3,178 users
Discord
2,945 users
Spotify
2,387 users
2,042 users
Twitch
1,857 users
Snapchat
1,738 users
1,433 users
PayPal
896 users
Wish
798 users
Zoom
761 users
Disney
719 users
Mega
675 users
Xiaomi
602 users
602 users
Mercadolibre
290 users
Waze
277 users
Alibaba
259 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 553,056 users
-
#2
hotmail.com 36,808 users
-
#3
yahoo.com 20,639 users
-
#4
outlook.com 11,943 users
-
#5
icloud.com 4,727 users
-
#6
-
#7
comcast.net 2,069 users
-
#8
hotmail.fr 1,287 users
-
#9
msn.com 1,256 users
-
#10
web.de 1,048 users
-
#11
yahoo.co.uk 1,029 users
-
#12
mail.ru 1,029 users
-
#13
aol.com 1,000 users
-
#14
live.fr 974 users
-
#15
hotmail.it 812 users
-
#16
yahoo.com.br 797 users
-
#17
googlemail.com 694 users
-
#18
yahoo.fr 667 users
-
#19
free.fr 647 users
-
#20
gmx.de 565 users
-
#21
libero.it 554 users
-
#22
sky.com 548 users
-
#23
hotmail.co.uk 521 users
-
#24
live.it 468 users
-
#25
mail.com 425 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Lumma 8,582machines
- #2 Generic Stealer 6,414machines
- #3 Acreed 2,094machines
- #4 Vidar 590machines
Anti-virus Coverage
- #1 Windows Defender 9,466machines
- #2 No anti-virus installed 2,867machines
- #3 Windows Defender. 60machines
- #4 Reason Cybersecurity, Windows Defender 9machines
- #5 McAfee, Windows Defender 7machines
- #6 Windows Defender, Reason Cybersecurity 6machines
- #7 N/A 4machines
- #8 Windows Defender, McAfee VirusScan 3machines
- #9 Avast Antivirus, Windows Defender 3machines
- #10 Windows Defender, 360 Total Security 3machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 61,663hits
- #2 sso 15,481hits
- #3 zoom 4,470hits
- #4 github 3,726hits
- #5 adfs 2,026hits
- #6 webmail 1,270hits
- #7 oracle 989hits
- #8 zendesk 838hits
- #9 sap 833hits
- #10 ping 620hits
- #11 owa 581hits
- #12 sts 538hits
- #13 vpn 465hits
- #14 okta 349hits
- #15 salesforce 344hits
- #16 cpanel 332hits
- #17 webex 280hits
- #18 st 255hits
- #19 kaspersky 219hits
- #20 extranet 178hits
- #21 gitlab 150hits
- #22 dana-na 139hits
- #23 roundcube 126hits
- #24 twilio 108hits
- #25 ftp 96hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.