Infostealers Weekly Report: 2026-01-19 – 2026-01-26
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 1,530
- #2 United States of America 827
- #3 Brazil 784
- #4 Indonesia 693
- #5 Philippines 435
- #6 Pakistan 435
- #7 Bangladesh 337
- #8 Vietnam 281
- #9 Turkey 266
- #10 Egypt 260
- #11 France 249
- #12 Germany 194
- #13 Mexico 188
- #14 Italy 162
- #15 United Kingdom 160
- #16 Unknown Region 155
- #17 Poland 147
- #18 Spain 125
- #19 Argentina 117
- #20 Algeria 114
- #21 Colombia 108
- #22 China 105
- #23 Malaysia 103
- #24 Peru 102
- #25 Thailand 101
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 9,960 users
-
#2
facebook.com 7,625 users
-
#3
live.com 6,835 users
-
#4
instagram.com 5,337 users
-
#5
discord.com 4,334 users
-
#6
com.facebook.katana 4,155 users
-
#7
netflix.com 4,024 users
-
#8
com.instagram.android 3,477 users
-
#9
amazon.com 3,470 users
-
#10
roblox.com 3,266 users
-
#11
steampowered.com 3,017 users
-
#12
microsoftonline.com 2,835 users
-
#13
apple.com 2,701 users
-
#14
paypal.com 2,691 users
-
#15
com.netflix.mediaclient 2,643 users
-
#16
spotify.com 2,399 users
-
#17
twitter.com 2,357 users
-
#18
linkedin.com 2,302 users
-
#19
twitch.tv 2,301 users
-
#20
openai.com 2,269 users
-
#21
epicgames.com 2,129 users
-
#22
com.discord 2,057 users
-
#23
riotgames.com 2,031 users
-
#24
com.roblox.client 1,980 users
-
#25
github.com 1,918 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 137 employees
-
#2
icicibank.com 82 employees
-
#3
firstmail.ltd 68 employees
-
#4
163.com 56 employees
-
#5
rediff.com 45 employees
-
#6
wp.pl 41 employees
-
#7
qq.com 37 employees
-
#8
aruba.it 28 employees
-
#9
mail.tm 23 employees
-
#10
unionbankonline.co.in 22 employees
-
#11
deped.gov.ph 22 employees
-
#12
santander.com.br 22 employees
-
#13
icai.org 21 employees
-
#14
bluehost.com 21 employees
-
#15
web-hosting.com 21 employees
-
#16
accenture.com 18 employees
-
#17
netpnb.com 18 employees
-
#18
unibo.it 17 employees
-
#19
atlassian.com 17 employees
-
#20
pnbibanking.in 17 employees
-
#21
bank.in 17 employees
-
#22
bobibanking.com 16 employees
-
#23
payoneer.com 16 employees
-
#24
mcd.com 16 employees
-
#25
secureserver.net 15 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 13 employees
-
#2
ibm.com 5 employees
-
#3
publix.com 4 employees
-
#4
salesforce.com 4 employees
-
#5
-
#6
cbre.com 3 employees
-
#7
rockwellautomation.com 2 employees
-
#8
hp.com 2 employees
-
#9
csc.com 2 employees
-
#10
frontier.com 2 employees
-
#11
twc.com 2 employees
-
#12
cognizant.com 2 employees
-
#13
citigroup.com 1 employees
-
#14
visa.com 1 employees
-
#15
nike.com 1 employees
-
#16
att.com 1 employees
-
#17
synnex.com 1 employees
-
#18
-
#19
bestbuy.com 1 employees
-
#20
interpublic.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 477 users
-
#8
oracle.com 460 users
-
#9
-
#10
-
#11
-
#12
cisco.com 212 users
-
#13
walmart.com 205 users
-
#14
-
#15
ups.com 189 users
-
#16
westernunion.com 118 users
-
#17
adp.com 115 users
-
#18
-
#19
fedex.com 106 users
-
#20
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,155 users
3,477 users
Netflix
2,643 users
Discord
2,057 users
Roblox
1,980 users
Spotify
1,807 users
Snapchat
1,455 users
Twitch
1,273 users
1,184 users
1,122 users
PayPal
761 users
Zoom
663 users
609 users
Disney
586 users
Xiaomi
573 users
Mega
538 users
Wish
531 users
Mercadolibre
321 users
Waze
308 users
Alibaba
270 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 488,306 users
-
#2
hotmail.com 38,432 users
-
#3
yahoo.com 18,096 users
-
#4
outlook.com 11,333 users
-
#5
icloud.com 5,606 users
-
#6
mail.ru 2,100 users
-
#7
-
#8
web.de 1,740 users
-
#9
msn.com 1,321 users
-
#10
gmx.de 1,260 users
-
#11
googlemail.com 1,228 users
-
#12
yandex.ru 1,220 users
-
#13
libero.it 867 users
-
#14
hotmail.fr 822 users
-
#15
yahoo.com.br 755 users
-
#16
proton.me 752 users
-
#17
protonmail.com 752 users
-
#18
hotmail.co.uk 745 users
-
#19
gmx.net 632 users
-
#20
mail.com 602 users
-
#21
me.com 597 users
-
#22
yahoo.co.id 591 users
-
#23
ymail.com 577 users
-
#24
aol.com 576 users
-
#25
hotmail.it 575 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 11,906machines
- #2 Lumma 1,858machines
- #3 Acreed 1,054machines
- #4 Vidar 143machines
Anti-virus Coverage
- #1 Windows Defender 3,111machines
- #2 No anti-virus installed 196machines
- #3 Windows Defender. 15machines
- #4 None 1machines
- #5 N/A 1machines
- #6 Malwarebytes, Windows Defender. 1machines
- #7 Windows Defender, McAfee. 1machines
- #8 Kaspersky, Windows Defender, Kaspersky Internet Security. 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 59,536hits
- #2 sso 14,334hits
- #3 zoom 3,652hits
- #4 github 3,411hits
- #5 webmail 1,477hits
- #6 adfs 1,437hits
- #7 sap 1,013hits
- #8 oracle 960hits
- #9 zendesk 777hits
- #10 vpn 596hits
- #11 salesforce 593hits
- #12 ping 545hits
- #13 sts 520hits
- #14 cpanel 476hits
- #15 owa 455hits
- #16 st 323hits
- #17 kaspersky 284hits
- #18 okta 281hits
- #19 roundcube 253hits
- #20 webex 251hits
- #21 ftp 216hits
- #22 extranet 207hits
- #23 twilio 195hits
- #24 gitlab 176hits
- #25 jira 114hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.