Weekly intelligence May 25 – Jun 1, 2026 13 min read

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 18,227 Compromised Machines

#2 4,421 Compromised Employees

#3 3,902 Compromised Users

#4 9,904 Compromised Androids

#5 259,401 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 174

Infections by country

Top 25 countries

#1 India 1,899
#2 France 1,377
#3 Italy 631
#4 United States of America 589
#5 Brazil 416
#6 United Kingdom 304
#7 Indonesia 300
#8 Philippines 281
#9 Vietnam 257
#10 Pakistan 220
#11 Bangladesh 188
#12 Egypt 172
#13 Germany 155
#14 Spain 147
#15 Mexico 144
#16 South Africa 120
#17 Turkey 103
#18 Canada 95
#19 Argentina 94
#20 Saudi Arabia 89
#21 Algeria 84
#22 Thailand 80
#23 Colombia 68
#24 Sri Lanka 66
#25 Morocco 62

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 12,582 users
#2 facebook.com 9,514 users
#3 live.com 8,572 users
#4 instagram.com 6,747 users
#5 netflix.com 5,257 users
#6 discord.com 5,151 users
#7 com.facebook.katana 4,992 users
#8 amazon.com 4,986 users
#9 com.instagram.android 4,287 users
#10 steampowered.com 4,021 users
#11 paypal.com 3,953 users
#12 apple.com 3,875 users
#13 microsoftonline.com 3,780 users
#14 roblox.com 3,740 users
#15 spotify.com 3,259 users
#16 twitch.tv 3,257 users
#17 com.netflix.mediaclient 3,157 users
#18 twitter.com 3,127 users
#19 linkedin.com 3,034 users
#20 openai.com 2,806 users
#21 epicgames.com 2,703 users
#22 riotgames.com 2,418 users
#23 com.discord 2,375 users
#24 steamcommunity.com 2,361 users
#25 com.spotify.music 2,346 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 aruba.it 114 employees
#2 hostinger.com 112 employees
#3 icicibank.com 103 employees
#4 rediff.com 81 employees
#5 tim.it 60 employees
#6 pec.it 56 employees
#7 firstmail.ltd 54 employees
#8 icai.org 46 employees
#9 163.com 43 employees
#10 bobibanking.com 40 employees
#11 netpnb.com 37 employees
#12 android 37 employees
#13 ovh.net 36 employees
#14 qq.com 31 employees
#15 unionbankonline.co.in 28 employees
#16 cned.fr 27 employees
#17 pnb.bank.in 23 employees
#18 det.nsw.edu.au 23 employees
#19 watchit.com 23 employees
#20 confused.com 22 employees
#21 bankofbaroda.bank.in 21 employees
#22 ovhcloud.com 21 employees
#23 deped.gov.ph 21 employees
#24 njoyn.com 21 employees
#25 infocert.it 21 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 microsoft.com 10 employees
#2 ibm.com 8 employees
#3 cognizant.com 7 employees
#4 publix.com 6 employees
#5 google.com 5 employees
#6 netflix.com 5 employees
#7 bestbuy.com 4 employees
#8 cisco.com 4 employees
#9 intel.com 3 employees
#10 hp.com 3 employees
#11 rockwellautomation.com 3 employees
#12 salesforce.com 3 employees
#13 ups.com 2 employees
#14 allstate.com 2 employees
#15 ford.com 2 employees
#16 emc.com 1 employees
#17 nov.com 1 employees
#18 essendant.com 1 employees
#19 abbvie.com 1 employees
#20 att.com 1 employees

Compromised users

#1 google.com 12,582 users
#2 facebook.com 9,514 users
#3 netflix.com 5,257 users
#4 amazon.com 4,986 users
#5 paypal.com 3,953 users
#6 apple.com 3,875 users
#7 ebay.com 685 users
#8 hp.com 669 users
#9 nike.com 611 users
#10 oracle.com 575 users
#11 microsoft.com 460 users
#12 ups.com 412 users
#13 walmart.com 365 users
#14 cisco.com 301 users
#15 ibm.com 268 users
#16 fedex.com 197 users
#17 adp.com 189 users
#18 target.com 187 users
#19 westernunion.com 182 users
#20 bestbuy.com 160 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

4,992 users

Instagram

instagram.com · com.instagram.android

4,287 users

Netflix

netflix.com · com.netflix.mediaclient

3,157 users

Discord

discord.com · com.discord

2,375 users

Spotify

spotify.com · com.spotify.music

2,346 users

Roblox

roblox.com · com.roblox.client

2,193 users

Snapchat

snapchat.com · com.snapchat.android

2,099 users

pinterest.com · com.pinterest

1,949 users

Twitch

app.com · tv.twitch.android.app

1,655 users

#10

Twitter

twitter.com · com.twitter.android

1,482 users

#11

PayPal

paypal.com · com.paypal.android.p2pmobile

1,028 users

#12

Wish

contextlogic.com · com.contextlogic.wish

1,000 users

#13

Disney

disney.com · com.disney.disneyplus

864 users

#14

Zoom

videomeetings.com · us.zoom.videomeetings

762 users

#15

linkedin.com · com.linkedin.android

710 users

#16

Mega

app.com · mega.privacy.android.app

681 users

#17

Xiaomi

xiaomi.com · com.xiaomi.account

665 users

#18

Waze

waze.com · com.waze

429 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

388 users

#20

Mercadolibre

mercadolibre.com · com.mercadolibre

296 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 689,395 users
#2 hotmail.com 50,995 users
#3 yahoo.com 21,704 users
#4 outlook.com 15,532 users
#5 hotmail.fr 15,002 users
#6 icloud.com 8,504 users
#7 yahoo.fr 4,118 users
#8 live.fr 3,711 users
#9 free.fr 3,583 users
#10 hotmail.it 3,483 users
#11 orange.fr 3,461 users
#12 libero.it 3,350 users
#13 hotmail.co.uk 3,072 users
#14 live.com 2,784 users
#15 sfr.fr 1,610 users
#16 aol.com 1,588 users
#17 msn.com 1,349 users
#18 alice.it 1,261 users
#19 yahoo.com.br 1,191 users
#20 laposte.net 1,168 users
#21 me.com 1,152 users
#22 yahoo.it 1,049 users
#23 neuf.fr 1,041 users
#24 mail.com 918 users
#25 ymail.com 891 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Generic Stealer 13,609machines
#2 Acreed 3,908machines
#3 Lumma 566machines
#4 Raccoon 144machines

Anti-virus Coverage

#1 Windows Defender 1machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 86,697hits
#2 sso 20,774hits
#3 zoom 4,362hits
#4 github 4,205hits
#5 adfs 2,358hits
#6 webmail 2,309hits
#7 oracle 1,186hits
#8 zendesk 1,026hits
#9 sap 931hits
#10 owa 840hits
#11 sts 818hits
#12 ping 790hits
#13 vpn 749hits
#14 ftp 556hits
#15 cpanel 548hits
#16 imap 546hits
#17 extranet 483hits
#18 okta 473hits
#19 salesforce 466hits
#20 webex 340hits
#21 st 323hits
#22 roundcube 309hits
#23 kaspersky 263hits
#24 gitlab 222hits
#25 zimbra 216hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

25K machines
2K users
319K domains

View report →

May 4 → May 11, 2026 12 min

Infostealers Weekly Report: 2026-05-04 – 2026-05-11

16K machines
4K users
200K domains

View report →

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Discord

Spotify

Roblox

Snapchat

Pinterest

Twitch

Twitter

PayPal

Wish

Disney

Zoom

LinkedIn

Mega

Xiaomi

Waze

Alibaba

Mercadolibre

Email domains tied to compromised credentials

Stealer families & anti-virus coverage

Stealer Families

Anti-virus Coverage

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

Infostealers Weekly Report: 2026-05-04 – 2026-05-11

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Discord

Spotify

Roblox

Snapchat

Pinterest

Twitch

Twitter

PayPal

Wish

Disney

Zoom

LinkedIn

Mega

Xiaomi

Waze

Alibaba

Mercadolibre

Email domains tied to compromised credentials

Where saved sessions and logins lived

Stealer families & anti-virus coverage

Stealer Families

Anti-virus Coverage

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

Infostealers Weekly Report: 2026-05-04 – 2026-05-11