Infostealers Weekly Report: 2026-06-15 – 2026-06-22
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 3,619
- #2 France 799
- #3 Spain 631
- #4 United States of America 579
- #5 United Kingdom 523
- #6 Indonesia 379
- #7 Bangladesh 257
- #8 Pakistan 228
- #9 Brazil 215
- #10 Philippines 215
- #11 Vietnam 192
- #12 Egypt 172
- #13 Unknown Region 170
- #14 China 92
- #15 Germany 83
- #16 South Africa 79
- #17 Mexico 72
- #18 Peru 66
- #19 Morocco 64
- #20 Sri Lanka 58
- #21 Japan 57
- #22 Nepal 53
- #23 Ghana 52
- #24 Colombia 51
- #25 Turkey 50
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 11,282 users
-
#2
facebook.com 7,929 users
-
#3
live.com 7,396 users
-
#4
instagram.com 6,032 users
-
#5
com.facebook.katana 4,551 users
-
#6
netflix.com 4,216 users
-
#7
com.instagram.android 4,125 users
-
#8
discord.com 4,118 users
-
#9
amazon.com 3,938 users
-
#10
roblox.com 3,118 users
-
#11
steampowered.com 3,064 users
-
#12
microsoftonline.com 2,973 users
-
#13
com.netflix.mediaclient 2,915 users
-
#14
paypal.com 2,903 users
-
#15
apple.com 2,748 users
-
#16
linkedin.com 2,475 users
-
#17
spotify.com 2,427 users
-
#18
twitch.tv 2,393 users
-
#19
twitter.com 2,343 users
-
#20
openai.com 2,308 users
-
#21
amazon.in 2,284 users
-
#22
epicgames.com 2,176 users
-
#23
com.snapchat.android 2,028 users
-
#24
riotgames.com 1,990 users
-
#25
github.com 1,976 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
icicibank.com 129 employees
-
#2
hostinger.com 108 employees
-
#3
rediff.com 85 employees
-
#4
bobibanking.com 57 employees
-
#5
firstmail.ltd 52 employees
-
#6
unionbankonline.co.in 51 employees
-
#7
confused.com 46 employees
-
#8
android 44 employees
-
#9
netpnb.com 43 employees
-
#10
163.com 42 employees
-
#11
indusind.com 33 employees
-
#12
pnbibanking.in 33 employees
-
#13
icai.org 32 employees
-
#14
njoyn.com 31 employees
-
#15
wp.pl 29 employees
-
#16
santander.com.br 25 employees
-
#17
qq.com 24 employees
-
#18
secureserver.net 22 employees
-
#19
mail.gov.in 22 employees
-
#20
rmunify.com 21 employees
-
#21
bankofbaroda.bank.in 20 employees
-
#22
mcd.com 17 employees
-
#23
fednetbank.com 17 employees
-
#24
syrahost.com 17 employees
-
#25
atlassian.com 17 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 16 employees
-
#2
salesforce.com 11 employees
-
#3
rockwellautomation.com 8 employees
-
#4
publix.com 4 employees
-
#5
honeywell.com 4 employees
-
#6
cognizant.com 3 employees
-
#7
statestreet.com 3 employees
-
#8
nike.com 2 employees
-
#9
pepsico.com 2 employees
-
#10
oracle.com 2 employees
-
#11
cbre.com 2 employees
-
#12
ibm.com 2 employees
-
#13
hp.com 2 employees
-
#14
xerox.com 2 employees
-
#15
firstam.com 1 employees
-
#16
nscorp.com 1 employees
-
#17
-
#18
dish.com 1 employees
-
#19
gm.com 1 employees
-
#20
essendant.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
-
#8
-
#9
ebay.com 444 users
-
#10
-
#11
-
#12
cisco.com 270 users
-
#13
ups.com 256 users
-
#14
-
#15
walmart.com 200 users
-
#16
fedex.com 135 users
-
#17
broadcom.com 128 users
-
#18
target.com 127 users
-
#19
adp.com 123 users
-
#20
bestbuy.com 117 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,551 users
4,125 users
Netflix
2,915 users
Snapchat
2,028 users
Spotify
1,913 users
Discord
1,834 users
Roblox
1,784 users
1,619 users
1,218 users
Twitch
1,162 users
PayPal
770 users
Zoom
720 users
706 users
Wish
688 users
Xiaomi
674 users
Disney
558 users
Mega
550 users
Alibaba
299 users
Waze
269 users
Mercadolibre
166 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 520,628 users
-
#2
hotmail.com 42,091 users
-
#3
yahoo.com 15,942 users
-
#4
outlook.com 10,706 users
-
#5
hotmail.fr 6,416 users
-
#6
icloud.com 4,750 users
-
#7
hotmail.co.uk 4,750 users
-
#8
yahoo.fr 3,062 users
-
#9
free.fr 2,447 users
-
#10
orange.fr 2,216 users
-
#11
-
#12
googlemail.com 1,740 users
-
#13
live.fr 1,523 users
-
#14
hotmail.es 1,401 users
-
#15
msn.com 1,221 users
-
#16
yahoo.co.uk 1,175 users
-
#17
laposte.net 1,157 users
-
#18
aol.com 1,126 users
-
#19
ymail.com 629 users
-
#20
sfr.fr 540 users
-
#21
hotmail.it 529 users
-
#22
mail.com 514 users
-
#23
proton.me 484 users
-
#24
yahoo.co.id 447 users
-
#25
web.de 408 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 13,514machines
- #2 Acreed 1,886machines
- #3 Lumma 221machines
Anti-virus Coverage
- #1 Windows Defender 6,358machines
- #2 None 872machines
- #3 Avast 54machines
- #4 Kaspersky 26machines
- #5 Malwarebytes 20machines
- #6 ESET 20machines
- #7 Avast, Norton 18machines
- #8 Avast, AVG 14machines
- #9 Bitdefender 3machines
- #10 ESET, Malwarebytes 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 59,950hits
- #2 sso 14,426hits
- #3 zoom 3,500hits
- #4 github 3,380hits
- #5 adfs 1,780hits
- #6 webmail 1,594hits
- #7 oracle 1,102hits
- #8 sts 927hits
- #9 sap 844hits
- #10 zendesk 714hits
- #11 ping 630hits
- #12 vpn 552hits
- #13 owa 538hits
- #14 ftp 480hits
- #15 salesforce 403hits
- #16 cpanel 384hits
- #17 okta 355hits
- #18 webex 291hits
- #19 st 287hits
- #20 kaspersky 276hits
- #21 extranet 250hits
- #22 imap 232hits
- #23 roundcube 187hits
- #24 twilio 158hits
- #25 gitlab 132hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-08 – 2026-06-15
- 9K machines
- 2K users
- 125K domains
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.