Infostealers Weekly Report: 2024-04-29 – 2024-05-06
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 Brazil 2,202
- #2 Turkey 2,143
- #3 Indonesia 1,943
- #4 India 1,924
- #5 Egypt 1,712
- #6 Thailand 1,614
- #7 Pakistan 1,360
- #8 Argentina 1,179
- #9 Mexico 1,111
- #10 Vietnam 934
- #11 Colombia 911
- #12 Philippines 897
- #13 Bangladesh 838
- #14 Peru 779
- #15 United States of America 758
- #16 Algeria 705
- #17 Spain 684
- #18 Russia 556
- #19 Germany 509
- #20 Chile 504
- #21 Taiwan 481
- #22 Morocco 470
- #23 Venezuela 449
- #24 Italy 440
- #25 France 383
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 49,188 users
-
#2
facebook.com 44,503 users
-
#3
live.com 41,911 users
-
#4
instagram.com 24,014 users
-
#5
com.facebook.katana 22,723 users
-
#6
discord.com 21,691 users
-
#7
netflix.com 20,361 users
-
#8
roblox.com 17,308 users
-
#9
steampowered.com 17,186 users
-
#10
amazon.com 17,110 users
-
#11
twitter.com 16,271 users
-
#12
com.instagram.android 15,874 users
-
#13
com.netflix.mediaclient 14,793 users
-
#14
paypal.com 13,606 users
-
#15
microsoftonline.com 13,049 users
-
#16
twitch.tv 12,297 users
-
#17
apple.com 12,268 users
-
#18
spotify.com 11,829 users
-
#19
mega.nz 11,719 users
-
#20
epicgames.com 11,414 users
-
#21
192.168.1.1 11,367 users
-
#22
riotgames.com 11,342 users
-
#23
linkedin.com 11,191 users
-
#24
com.roblox.client 10,008 users
-
#25
steamcommunity.com 10,007 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 249 employees
-
#2
icicibank.com 182 employees
-
#3
watchit.com 165 employees
-
#4
wp.pl 149 employees
-
#5
banquemisr.com 141 employees
-
#6
163.com 141 employees
-
#7
buenosaires.gob.ar 139 employees
-
#8
rediff.com 136 employees
-
#9
firstmail.ltd 130 employees
-
#10
qq.com 126 employees
-
#11
laureate.net 120 employees
-
#12
secop.gov.co 113 employees
-
#13
aruba.it 111 employees
-
#14
mail.tm 111 employees
-
#15
abv.bg 102 employees
-
#16
alxswe.com 100 employees
-
#17
yandex.com.tr 87 employees
-
#18
netpnb.com 83 employees
-
#19
telecom.pt 72 employees
-
#20
pec.it 72 employees
-
#21
utp.edu.pe 69 employees
-
#22
tim.it 65 employees
-
#23
freemail.hu 65 employees
-
#24
inacap.cl 63 employees
-
#25
ionos.com 62 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 42 employees
-
#2
rockwellautomation.com 37 employees
-
#3
ibm.com 10 employees
-
#4
cisco.com 8 employees
-
#5
-
#6
-
#7
publix.com 6 employees
-
#8
fedex.com 6 employees
-
#9
lear.com 5 employees
-
#10
cablevision.com 5 employees
-
#11
xerox.com 5 employees
-
#12
micron.com 4 employees
-
#13
gm.com 4 employees
-
#14
cbre.com 4 employees
-
#15
cognizant.com 4 employees
-
#16
verizon.com 4 employees
-
#17
ryder.com 3 employees
-
#18
arrow.com 3 employees
-
#19
supervalu.com 3 employees
-
#20
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 2,488 users
-
#8
hp.com 1,850 users
-
#9
-
#10
oracle.com 1,720 users
-
#11
nike.com 1,595 users
-
#12
-
#13
-
#14
ups.com 587 users
-
#15
walmart.com 544 users
-
#16
westernunion.com 511 users
-
#17
intel.com 378 users
-
#18
-
#19
bestbuy.com 253 users
-
#20
adp.com 222 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
22,853 users
15,966 users
Netflix
14,889 users
Roblox
10,069 users
Discord
10,051 users
Spotify
8,425 users
Twitch
8,381 users
6,831 users
Snapchat
6,388 users
Disney
4,312 users
PayPal
4,245 users
3,972 users
Wish
3,803 users
Zoom
3,699 users
Mega
3,337 users
Mercadolibre
3,237 users
3,098 users
Xiaomi
2,589 users
Waze
2,418 users
Alibaba
2,367 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 2,045,117 users
-
#2
hotmail.com 278,979 users
-
#3
yahoo.com 81,642 users
-
#4
outlook.com 57,968 users
-
#5
icloud.com 13,623 users
-
#6
-
#7
mail.ru 6,903 users
-
#8
hotmail.es 5,821 users
-
#9
msn.com 5,522 users
-
#10
web.de 5,411 users
-
#11
yahoo.fr 4,707 users
-
#12
mail.com 4,692 users
-
#13
yahoo.com.br 4,642 users
-
#14
aol.com 4,329 users
-
#15
gmx.de 4,288 users
-
#16
hotmail.fr 4,227 users
-
#17
hotmail.co.uk 4,131 users
-
#18
hotmail.it 3,757 users
-
#19
libero.it 3,693 users
-
#20
googlemail.com 3,676 users
-
#21
yahoo.com.ar 3,601 users
-
#22
yahoo.co.jp 2,456 users
-
#23
yahoo.co.id 2,386 users
-
#24
ymail.com 2,334 users
-
#25
bk.ru 1,959 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 RedLine 37,422machines
- #2 StealC 16,348machines
- #3 Generic Stealer 14,613machines
- #4 Lumma 3,324machines
- #5 DarkCrystal 1,068machines
Anti-virus Coverage
- #1 Windows Defender 36,165machines
- #2 Reason Cybersecurity 1,821machines
- #3 360 Total Security 1,460machines
- #4 Avast Antivirus 1,337machines
- #5 McAfee 569machines
- #6 McAfee Firewall 560machines
- #7 McAfee VirusScan 487machines
- #8 ESET Security 354machines
- #9 AVG Antivirus 299machines
- #10 Kaspersky 221machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 225,228hits
- #2 sso 59,322hits
- #3 zoom 20,046hits
- #4 github 10,647hits
- #5 webmail 7,682hits
- #6 adfs 6,380hits
- #7 oracle 3,523hits
- #8 sap 3,128hits
- #9 owa 3,107hits
- #10 zendesk 3,100hits
- #11 ping 2,356hits
- #12 vpn 2,276hits
- #13 sts 2,208hits
- #14 cpanel 2,045hits
- #15 webex 1,572hits
- #16 kaspersky 1,464hits
- #17 ftp 1,414hits
- #18 extranet 1,405hits
- #19 st 1,181hits
- #20 roundcube 953hits
- #21 imap 945hits
- #22 salesforce 859hits
- #23 okta 847hits
- #24 twilio 514hits
- #25 gitlab 447hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Infostealers Weekly Report: 2026-04-27 – 2026-05-04
- 14K machines
- 4K users
- 186K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.