Weekly intelligence May 27 – Jun 2, 2019 11 min read

Infostealers Weekly Report: 2019-05-27 – 2019-06-02

InfoStealers Weekly Report – In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in…

#1 0 Compromised Machines

#2 0 Compromised Employees

#3 0 Compromised Users

#4 0 Compromised Androids

#5 0 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 156

Infections by country

Top 25 countries

#1 Brazil 1,378
#2 India 923
#3 Indonesia 521
#4 Algeria 452
#5 Egypt 378
#6 Turkey 301
#7 Germany 293
#8 Pakistan 249
#9 Morocco 202
#10 Vietnam 196
#11 United Kingdom 188
#12 Argentina 186
#13 Philippines 182
#14 Hungary 176
#15 Romania 174
#16 Bangladesh 167
#17 Peru 127
#18 Canada 125
#19 Chile 124
#20 Iraq 110
#21 Ukraine 98
#22 Thailand 82
#23 Nepal 74
#24 Ecuador 71
#25 Australia 69

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 5,696 users
#2 facebook.com 5,039 users
#3 live.com 2,766 users
#4 twitter.com 1,382 users
#5 mega.nz 1,121 users
#6 netflix.com 1,110 users
#7 1,025 users
#8 instagram.com 1,023 users
#9 yahoo.com 953 users
#10 paypal.com 924 users
#11 roblox.com 889 users
#12 discordapp.com 881 users
#13 epicgames.com 818 users
#14 192.168.1.1 774 users
#15 linkedin.com 731 users
#16 steampowered.com 717 users
#17 amazon.com 689 users
#18 steamcommunity.com 634 users
#19 com.facebook.katana 601 users
#20 dropbox.com 576 users
#21 twitch.tv 567 users
#22 apple.com 553 users
#23 com.netflix.mediaclient 457 users
#24 chrome://FirefoxAccounts 456 users
#25 192.168.0.1 435 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 rediff.com 29 employees
#2 freemail.hu 29 employees
#3 POP3://pop.gmail.com:995 26 employees
#4 abv.bg 15 employees
#5 icicibank.com 15 employees
#6 ig.com.br 14 employees
#7 citromail.hu 13 employees
#8 telecom.pt 13 employees
#9 POP3://[email protected]:0 11 employees
#10 POP3://[email protected]:0 11 employees
#11 uol.com.br 11 employees
#12 yandex.com.tr 10 employees
#13 accenture.com 10 employees
#14 i.ua 10 employees
#15 mail.bg 9 employees
#16 onlinesbi.com 9 employees
#17 POP3://mail.pokharaph.com:0 9 employees
#18 sapo.pt 9 employees
#19 9 employees
#20 SMTP://mail.pokharaph.com:465 9 employees
#21 freenet.de 8 employees
#22 inbox.lv 8 employees
#23 nbg.gr 7 employees
#24 sp.gov.br 7 employees
#25 sgcpanel.com 7 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 bakerhughes.com 1 employees
#2 viacom.com 1 employees
#3 emerson.com 1 employees
#4 hp.com 1 employees
#5 halliburton.com 1 employees
#6 pepsico.com 1 employees
#7 cognizant.com 1 employees
#8 harman.com 1 employees
#9 xerox.com 1 employees

Compromised users

#1 google.com 5,696 users
#2 facebook.com 5,039 users
#3 netflix.com 1,110 users
#4 paypal.com 924 users
#5 amazon.com 689 users
#6 apple.com 553 users
#7 ebay.com 295 users
#8 oracle.com 77 users
#9 hp.com 43 users
#10 microsoft.com 28 users
#11 westernunion.com 26 users
#12 americanexpress.com 22 users
#13 walmart.com 19 users
#14 salesforce.com 17 users
#15 nike.com 16 users
#16 ups.com 14 users
#17 capitalone.com 14 users
#18 cisco.com 14 users
#19 ibm.com 13 users
#20 visa.com 9 users

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 6,053hits
#2 sso 1,953hits
#3 imap 669hits
#4 webmail 599hits
#5 owa 361hits
#6 adfs 296hits
#7 ftp 220hits
#8 sap 195hits
#9 github 192hits
#10 oracle 172hits
#11 zendesk 168hits
#12 cpanel 163hits
#13 st 109hits
#14 sts 103hits
#15 kaspersky 89hits
#16 extranet 76hits
#17 vpn 67hits
#18 zoom 51hits
#19 ping 45hits
#20 citrix 42hits
#21 salesforce 30hits
#22 jira 27hits
#23 gitlab 19hits
#24 webex 18hits
#25 bitbucket 17hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

25K machines
2K users
319K domains

View report →

May 4 → May 11, 2026 12 min

Infostealers Weekly Report: 2026-05-04 – 2026-05-11

16K machines
4K users
200K domains

View report →