Weekly intelligence Nov 11 – Nov 18, 2024 11 min read

Infostealers Weekly Report: 2024-11-11 – 2024-11-18

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 2,302 Compromised Machines

#2 458 Compromised Employees

#3 660 Compromised Users

#4 1,184 Compromised Androids

#5 31,681 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 114

Infections by country

Top 25 countries

#1 India 223
#2 Brazil 130
#3 Vietnam 127
#4 Indonesia 110
#5 Philippines 63
#6 Pakistan 55
#7 Egypt 53
#8 Argentina 40
#9 South Africa 32
#10 Romania 30
#11 Turkey 30
#12 Bangladesh 27
#13 Colombia 26
#14 Algeria 26
#15 Thailand 25
#16 United States of America 24
#17 South Korea 24
#18 Peru 22
#19 Mexico 22
#20 Kenya 19
#21 Malaysia 19
#22 Morocco 19
#23 Hungary 17
#24 Chile 15
#25 Serbia 14

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 1,451 users
#2 facebook.com 1,254 users
#3 live.com 1,046 users
#4 instagram.com 626 users
#5 com.facebook.katana 597 users
#6 discord.com 553 users
#7 netflix.com 551 users
#8 roblox.com 474 users
#9 com.instagram.android 459 users
#10 com.netflix.mediaclient 417 users
#11 amazon.com 407 users
#12 steampowered.com 395 users
#13 twitter.com 373 users
#14 apple.com 369 users
#15 microsoftonline.com 353 users
#16 paypal.com 346 users
#17 linkedin.com 306 users
#18 com.roblox.client 299 users
#19 spotify.com 293 users
#20 192.168.1.1 275 users
#21 com.spotify.music 271 users
#22 yahoo.com 271 users
#23 twitch.tv 268 users
#24 mega.nz 268 users
#25 epicgames.com 256 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 icicibank.com 31 employees
#2 rediff.com 11 employees
#3 hostinger.com 8 employees
#4 firstmail.ltd 8 employees
#5 icai.org 7 employees
#6 idbibank.co.in 6 employees
#7 concentrix.com 5 employees
#8 dfintech.club 5 employees
#9 sapo.pt 5 employees
#10 qq.com 5 employees
#11 titan.email 4 employees
#12 accenture.com 4 employees
#13 buenosaires.gob.ar 4 employees
#14 jatengprov.go.id 4 employees
#15 unitedauto.in 4 employees
#16 uol.com.br 4 employees
#17 alxswe.com 4 employees
#18 login.sp.gov.br 4 employees
#19 bni.co.id 4 employees
#20 rediffmailpro.com 3 employees
#21 bluehost.com 3 employees
#22 mahkamahagung.go.id 3 employees
#23 ousl.lk 3 employees
#24 pa-tolitoli.go.id 3 employees
#25 skole.hr 3 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 rockwellautomation.com 2 employees
#2 oracle.com 1 employees
#3 parker.com 1 employees
#4 emerson.com 1 employees

Compromised users

#1 google.com 1,451 users
#2 facebook.com 1,254 users
#3 netflix.com 551 users
#4 amazon.com 407 users
#5 apple.com 369 users
#6 paypal.com 346 users
#7 ebay.com 69 users
#8 hp.com 54 users
#9 nike.com 53 users
#10 microsoft.com 42 users
#11 oracle.com 38 users
#12 cisco.com 21 users
#13 walmart.com 14 users
#14 westernunion.com 13 users
#15 fedex.com 12 users
#16 ibm.com 11 users
#17 americanexpress.com 10 users
#18 capitalone.com 9 users
#19 bestbuy.com 9 users
#20 adp.com 8 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

597 users

Instagram

instagram.com · com.instagram.android

459 users

Netflix

netflix.com · com.netflix.mediaclient

417 users

Roblox

roblox.com · com.roblox.client

299 users

Spotify

spotify.com · com.spotify.music

271 users

Discord

discord.com · com.discord

250 users

pinterest.com · com.pinterest

230 users

Twitter

twitter.com · com.twitter.android

186 users

Snapchat

snapchat.com · com.snapchat.android

181 users

#10

Twitch

app.com · tv.twitch.android.app

167 users

#11

Wish

contextlogic.com · com.contextlogic.wish

112 users

#12

PayPal

paypal.com · com.paypal.android.p2pmobile

108 users

#13

Mega

app.com · mega.privacy.android.app

104 users

#14

Mercadolibre

mercadolibre.com · com.mercadolibre

86 users

#15

Zoom

videomeetings.com · us.zoom.videomeetings

85 users

#16

linkedin.com · com.linkedin.android

84 users

#17

Xiaomi

xiaomi.com · com.xiaomi.account

72 users

#18

Disney

disney.com · com.disney.disneyplus

69 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

61 users

#20

Waze

waze.com · com.waze

59 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 58,995 users
#2 hotmail.com 4,200 users
#3 yahoo.com 3,493 users
#4 outlook.com 1,644 users
#5 ymail.com 402 users
#6 icloud.com 334 users
#7 yahoo.co.id 236 users
#8 live.com 125 users
#9 att.net 97 users
#10 orange.fr 67 users
#11 libero.it 61 users
#12 aol.com 54 users
#13 hotmail.es 50 users
#14 terra.com.br 46 users
#15 yahoo.com.br 46 users
#16 yahoo.co.in 40 users
#17 gmx.com 38 users
#18 mail.com 32 users
#19 yahoo.fr 30 users
#20 hanmail.net 29 users
#21 yahoo.co.uk 29 users
#22 hotmail.fr 26 users
#23 hotmail.com.ar 22 users
#24 comcast.net 20 users
#25 proton.me 19 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Lumma 1,515machines
#2 Generic Stealer 553machines
#3 StealC 233machines
#4 DarkCrystal 1machines

Anti-virus Coverage

#1 Windows Defender 617machines
#2 Windows Defender [ON] 416machines
#3 None 80machines
#4 Reason Cybersecurity 69machines
#5 360 Total Security 17machines
#6 Quick Heal Total Security 14machines
#7 Reason Cybersecurity [OFF] 5machines
#8 알약 5machines
#9 Avast Antivirus 4machines
#10 Total AV [OFF] 3machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 6,441hits
#2 sso 1,754hits
#3 zoom 477hits
#4 github 292hits
#5 webmail 145hits
#6 adfs 140hits
#7 sap 114hits
#8 owa 98hits
#9 zendesk 93hits
#10 oracle 81hits
#11 vpn 49hits
#12 ping 48hits
#13 imap 46hits
#14 sts 39hits
#15 kaspersky 29hits
#16 cpanel 24hits
#17 webex 23hits
#18 roundcube 22hits
#19 okta 20hits
#20 st 19hits
#21 ftp 18hits
#22 twilio 15hits
#23 extranet 13hits
#24 citrix 12hits
#25 rlogin 9hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

25K machines
2K users
319K domains

View report →

May 4 → May 11, 2026 12 min

Infostealers Weekly Report: 2026-05-04 – 2026-05-11

16K machines
4K users
200K domains

View report →

Infostealers Weekly Report: 2024-11-11 – 2024-11-18

Where infections came from

Where users had active sessions

Employees caught in the logs