Infostealers Weekly Report: 2023-12-25 – 2024-01-01
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 Brazil 1,293
- #2 Argentina 885
- #3 Turkey 850
- #4 Egypt 724
- #5 Mexico 672
- #6 Pakistan 629
- #7 Philippines 602
- #8 Peru 584
- #9 Algeria 526
- #10 Colombia 515
- #11 Bangladesh 441
- #12 Chile 438
- #13 Thailand 414
- #14 Vietnam 368
- #15 Morocco 355
- #16 Venezuela 330
- #17 Iraq 299
- #18 Ecuador 296
- #19 Sri Lanka 283
- #20 Spain 268
- #21 Malaysia 255
- #22 Nigeria 251
- #23 India 237
- #24 United States of America 213
- #25 South Africa 205
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 24,540 users
-
#2
facebook.com 22,117 users
-
#3
live.com 20,668 users
-
#4
instagram.com 10,786 users
-
#5
com.facebook.katana 10,622 users
-
#6
netflix.com 9,963 users
-
#7
discord.com 9,518 users
-
#8
roblox.com 8,728 users
-
#9
amazon.com 7,939 users
-
#10
twitter.com 7,260 users
-
#11
com.netflix.mediaclient 7,070 users
-
#12
steampowered.com 7,047 users
-
#13
com.instagram.android 6,799 users
-
#14
mega.nz 6,442 users
-
#15
paypal.com 6,072 users
-
#16
microsoftonline.com 5,911 users
-
#17
twitch.tv 5,189 users
-
#18
apple.com 5,184 users
-
#19
linkedin.com 5,104 users
-
#20
spotify.com 5,031 users
-
#21
epicgames.com 4,727 users
-
#22
com.spotify.music 4,683 users
-
#23
com.roblox.client 4,613 users
-
#24
riotgames.com 4,595 users
-
#25
com.discord 4,468 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
wp.pl 97 employees
-
#2
hostinger.com 82 employees
-
#3
secureserver.net 66 employees
-
#4
sempreser.com.br 59 employees
-
#5
laureate.net 53 employees
-
#6
interia.pl 47 employees
-
#7
utp.edu.pe 47 employees
-
#8
yandex.com.tr 46 employees
-
#9
qq.com 45 employees
-
#10
ionos.com 39 employees
-
#11
buenosaires.gob.ar 38 employees
-
#12
aiou.edu.pk 38 employees
-
#13
freemail.hu 37 employees
-
#14
163.com 36 employees
-
#15
inacap.cl 36 employees
-
#16
alxswe.com 35 employees
-
#17
jcyl.es 35 employees
-
#18
sts.net.pk 35 employees
-
#19
santander.com.br 34 employees
-
#20
icicibank.com 34 employees
-
#21
secop.gov.co 33 employees
-
#22
syrahost.com 32 employees
-
#23
ovh.net 31 employees
-
#24
o2.pl 30 employees
-
#25
upc.edu.pe 30 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
rockwellautomation.com 29 employees
-
#2
microsoft.com 16 employees
-
#3
hp.com 10 employees
-
#4
ford.com 8 employees
-
#5
cisco.com 6 employees
-
#6
twc.com 4 employees
-
#7
-
#8
-
#9
emc.com 3 employees
-
#10
ups.com 3 employees
-
#11
cablevision.com 2 employees
-
#12
publix.com 2 employees
-
#13
-
#14
sanmina.com 1 employees
-
#15
walmart.com 1 employees
-
#16
ncr.com 1 employees
-
#17
pg.com 1 employees
-
#18
jpmorganchase.com 1 employees
-
#19
xerox.com 1 employees
-
#20
cognizant.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 1,084 users
-
#8
-
#9
oracle.com 924 users
-
#10
-
#11
-
#12
nike.com 521 users
-
#13
westernunion.com 270 users
-
#14
ibm.com 261 users
-
#15
-
#16
intel.com 208 users
-
#17
-
#18
adp.com 131 users
-
#19
fedex.com 129 users
-
#20
americanexpress.com 80 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
10,622 users
Netflix
7,070 users
6,799 users
Spotify
4,683 users
Roblox
4,613 users
Discord
4,468 users
3,939 users
Twitch
3,920 users
3,210 users
Snapchat
2,869 users
Wish
2,666 users
PayPal
2,175 users
Disney
2,134 users
Mercadolibre
2,010 users
Mega
1,715 users
Zoom
1,672 users
1,440 users
Waze
1,228 users
Alibaba
1,151 users
Xiaomi
1,054 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 1,761,124 users
-
#2
hotmail.com 243,963 users
-
#3
yahoo.com 79,241 users
-
#4
outlook.com 48,297 users
-
#5
hotmail.es 8,756 users
-
#6
-
#7
icloud.com 7,854 users
-
#8
mail.ru 4,487 users
-
#9
yahoo.fr 3,585 users
-
#10
yahoo.com.br 3,492 users
-
#11
yahoo.com.ar 3,315 users
-
#12
hotmail.fr 3,164 users
-
#13
msn.com 2,987 users
-
#14
googlemail.com 2,271 users
-
#15
ymail.com 2,177 users
-
#16
mail.com 2,093 users
-
#17
yandex.com 1,971 users
-
#18
hotmail.co.uk 1,819 users
-
#19
aol.com 1,677 users
-
#20
protonmail.com 1,493 users
-
#21
yahoo.co.uk 1,484 users
-
#22
email.com 1,386 users
-
#23
hotmail.com.ar 1,375 users
-
#24
hotmail.de 1,348 users
-
#25
bk.ru 1,282 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Lumma 31,892machines
- #2 RedLine 24,968machines
- #3 Generic Stealer 1,341machines
Anti-virus Coverage
- #1 Windows Defender 22,400machines
- #2 Reason Cybersecurity 764machines
- #3 360 Total Security 645machines
- #4 Avast Antivirus 537machines
- #5 McAfee Firewall 336machines
- #6 ESET Security 231machines
- #7 McAfee VirusScan 206machines
- #8 McAfee 185machines
- #9 AVG Antivirus 136machines
- #10 Kaspersky Internet Security 135machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 154,729hits
- #2 sso 35,528hits
- #3 zoom 15,617hits
- #4 github 8,573hits
- #5 webmail 6,454hits
- #6 adfs 3,803hits
- #7 oracle 3,331hits
- #8 zendesk 2,580hits
- #9 owa 2,334hits
- #10 cpanel 2,120hits
- #11 vpn 2,104hits
- #12 sap 2,063hits
- #13 ping 1,583hits
- #14 ftp 1,177hits
- #15 extranet 1,082hits
- #16 sts 1,056hits
- #17 roundcube 959hits
- #18 imap 945hits
- #19 st 899hits
- #20 kaspersky 872hits
- #21 webex 826hits
- #22 okta 668hits
- #23 twilio 447hits
- #24 gitlab 418hits
- #25 salesforce 241hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-08 – 2026-06-15
- 9K machines
- 2K users
- 125K domains
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.