Infostealers Weekly Report: 2026-07-06 – 2026-07-13
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 4,157
- #2 United States of America 687
- #3 Bangladesh 507
- #4 Indonesia 258
- #5 Unknown Region 240
- #6 France 233
- #7 Philippines 214
- #8 China 161
- #9 Sri Lanka 134
- #10 Brazil 125
- #11 United Kingdom 125
- #12 Japan 120
- #13 Uganda 106
- #14 Italy 99
- #15 Pakistan 96
- #16 Kenya 93
- #17 Spain 83
- #18 South Africa 75
- #19 Germany 73
- #20 Tanzania 72
- #21 Nepal 69
- #22 Canada 61
- #23 Vietnam 59
- #24 South Korea 58
- #25 Malaysia 51
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 10,679 users
-
#2
facebook.com 7,354 users
-
#3
live.com 6,123 users
-
#4
instagram.com 6,045 users
-
#5
com.facebook.katana 5,296 users
-
#6
com.instagram.android 5,146 users
-
#7
amazon.com 3,610 users
-
#8
netflix.com 3,392 users
-
#9
amazon.in 3,313 users
-
#10
com.netflix.mediaclient 3,032 users
-
#11
linkedin.com 2,692 users
-
#12
com.snapchat.android 2,667 users
-
#13
discord.com 2,608 users
-
#14
openai.com 2,565 users
-
#15
microsoftonline.com 2,503 users
-
#16
apple.com 2,300 users
-
#17
paypal.com 2,127 users
-
#18
twitter.com 2,107 users
-
#19
github.com 2,095 users
-
#20
com.discord 1,942 users
-
#21
com.spotify.music 1,922 users
-
#22
roblox.com 1,869 users
-
#23
irctc.co.in 1,795 users
-
#24
spotify.com 1,794 users
-
#25
192.168.1.1 1,745 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
icicibank.com 198 employees
-
#2
hostinger.com 162 employees
-
#3
rediff.com 146 employees
-
#4
aruba.it 89 employees
-
#5
icai.org 89 employees
-
#6
firstmail.ltd 81 employees
-
#7
njoyn.com 65 employees
-
#8
bobibanking.com 63 employees
-
#9
netpnb.com 62 employees
-
#10
unionbankonline.co.in 61 employees
-
#11
wp.pl 50 employees
-
#12
ukr.net 49 employees
-
#13
polri.go.id 44 employees
-
#14
deped.gov.ph 41 employees
-
#15
tim.it 39 employees
-
#16
pnp.gov.ph 36 employees
-
#17
mdc.edu 34 employees
-
#18
lilt.com 34 employees
-
#19
winning-soft.com 32 employees
-
#20
pnbibanking.in 31 employees
-
#21
turbify.com 31 employees
-
#22
digimail.in 30 employees
-
#23
outlier.ai 30 employees
-
#24
amityonline.com 30 employees
-
#25
indiapost.gov.in 27 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
salesforce.com 24 employees
-
#2
microsoft.com 20 employees
-
#3
ups.com 7 employees
-
#4
twc.com 7 employees
-
#5
lear.com 4 employees
-
#6
publix.com 3 employees
-
#7
amazon.com 3 employees
-
#8
rockwellautomation.com 3 employees
-
#9
cigna.com 3 employees
-
#10
oracle.com 2 employees
-
#11
jpmorganchase.com 2 employees
-
#12
cognizant.com 2 employees
-
#13
frontier.com 2 employees
-
#14
hanes.com 2 employees
-
#15
facebook.com 1 employees
-
#16
bestbuy.com 1 employees
-
#17
jetblue.com 1 employees
-
#18
harman.com 1 employees
-
#19
visa.com 1 employees
-
#20
fedex.com 1 employees
Compromised users
-
#1
google.com 10,679 users
-
#2
facebook.com 7,354 users
-
#3
amazon.com 3,610 users
-
#4
netflix.com 3,392 users
-
#5
apple.com 2,300 users
-
#6
paypal.com 2,127 users
-
#7
oracle.com 701 users
-
#8
hp.com 579 users
-
#9
ebay.com 577 users
-
#10
microsoft.com 377 users
-
#11
cisco.com 362 users
-
#12
nike.com 329 users
-
#13
walmart.com 269 users
-
#14
ibm.com 268 users
-
#15
ups.com 223 users
-
#16
salesforce.com 184 users
-
#17
capitalone.com 178 users
-
#18
adp.com 172 users
-
#19
wellsfargo.com 143 users
-
#20
broadcom.com 143 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
5,296 users
5,146 users
Netflix
3,032 users
Snapchat
2,667 users
Discord
1,942 users
Spotify
1,922 users
Roblox
1,693 users
1,609 users
1,468 users
Zoom
1,111 users
1,025 users
Twitch
880 users
Xiaomi
879 users
PayPal
850 users
Mega
644 users
Wish
523 users
Disney
343 users
Alibaba
278 users
Waze
223 users
Mercadolibre
160 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 525,511 users
-
#2
hotmail.com 21,495 users
-
#3
yahoo.com 15,501 users
-
#4
outlook.com 9,550 users
-
#5
icloud.com 3,657 users
-
#6
hotmail.fr 3,220 users
-
#7
mail.ru 1,532 users
-
#8
yahoo.fr 1,289 users
-
#9
msn.com 1,256 users
-
#10
aol.com 1,193 users
-
#11
live.com 1,138 users
-
#12
web.de 1,107 users
-
#13
free.fr 1,089 users
-
#14
orange.fr 1,052 users
-
#15
libero.it 1,025 users
-
#16
yahoo.co.jp 840 users
-
#17
tiscali.it 757 users
-
#18
hotmail.co.uk 673 users
-
#19
hotmail.it 651 users
-
#20
yahoo.co.uk 592 users
-
#21
googlemail.com 584 users
-
#22
yahoo.it 537 users
-
#23
proton.me 481 users
-
#24
mail.com 481 users
-
#25
live.fr 477 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 13,684machines
- #2 Acreed 1,070machines
- #3 Lumma 17machines
- #4 RedLine 9machines
Anti-virus Coverage
- #1 Windows Defender 9,974machines
- #2 None 857machines
- #3 Kaspersky 59machines
- #4 Avast 41machines
- #5 Avast, Norton 35machines
- #6 Malwarebytes 20machines
- #7 ESET 19machines
- #8 Avast, AVG 13machines
- #9 Trend Micro 2machines
- #10 Avast Antivirus 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 56,338hits
- #2 sso 14,606hits
- #3 sap 8,156hits
- #4 zoom 4,270hits
- #5 github 3,978hits
- #6 webmail 1,341hits
- #7 oracle 1,329hits
- #8 adfs 1,264hits
- #9 salesforce 728hits
- #10 vpn 559hits
- #11 sts 527hits
- #12 ping 520hits
- #13 zendesk 461hits
- #14 webex 406hits
- #15 st 381hits
- #16 owa 348hits
- #17 cpanel 230hits
- #18 okta 196hits
- #19 ftp 191hits
- #20 imap 187hits
- #21 twilio 184hits
- #22 kaspersky 180hits
- #23 extranet 139hits
- #24 gitlab 104hits
- #25 roundcube 89hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-29 – 2026-07-06
- 22K machines
- 5K users
- 186K domains
Infostealers Weekly Report: 2026-06-22 – 2026-06-29
- 29K machines
- 5K users
- 343K domains
Infostealers Weekly Report: 2026-06-15 – 2026-06-22
- 16K machines
- 3K users
- 216K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.