Weekly intelligence Mar 17 – Mar 24, 2025 11 min read

Infostealers Weekly Report: 2025-03-17 – 2025-03-24

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 2,487 Compromised Machines

#2 531 Compromised Employees

#3 560 Compromised Users

#4 1,396 Compromised Androids

#5 31,891 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 99

Infections by country

Top 25 countries

#1 India 210
#2 Vietnam 101
#3 Philippines 95
#4 Bangladesh 83
#5 Brazil 81
#6 Pakistan 71
#7 Argentina 62
#8 Indonesia 59
#9 Egypt 38
#10 Turkey 34
#11 Thailand 32
#12 South Africa 30
#13 Mexico 29
#14 Sri Lanka 26
#15 Romania 23
#16 Colombia 23
#17 Saudi Arabia 22
#18 Morocco 22
#19 Portugal 22
#20 United Arab Emirates 20
#21 Kenya 17
#22 Serbia 15
#23 Hungary 15
#24 Malaysia 15
#25 South Korea 13

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 1,673 users
#2 facebook.com 1,412 users
#3 live.com 1,205 users
#4 instagram.com 775 users
#5 com.facebook.katana 752 users
#6 netflix.com 648 users
#7 discord.com 646 users
#8 amazon.com 566 users
#9 com.instagram.android 528 users
#10 steampowered.com 521 users
#11 roblox.com 486 users
#12 com.netflix.mediaclient 455 users
#13 twitter.com 434 users
#14 paypal.com 429 users
#15 apple.com 391 users
#16 microsoftonline.com 379 users
#17 spotify.com 363 users
#18 linkedin.com 350 users
#19 192.168.1.1 343 users
#20 mega.nz 321 users
#21 epicgames.com 319 users
#22 yahoo.com 315 users
#23 com.spotify.music 304 users
#24 com.roblox.client 290 users
#25 192.168.0.1 288 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 rediff.com 18 employees
#2 icicibank.com 13 employees
#3 hostinger.com 13 employees
#4 abv.bg 8 employees
#5 telecom.pt 8 employees
#6 unionbankonline.co.in 6 employees
#7 dev-shakib2580.pantheonsite.io 6 employees
#8 watchit.com 6 employees
#9 freemail.hu 6 employees
#10 mail.bg 6 employees
#11 policiamisiones.gob.ar 5 employees
#12 comprandoengrupo.net 5 employees
#13 concentrix.com 5 employees
#14 atlassian.com 5 employees
#15 daplogistics.vn 5 employees
#16 kiu.ac.ug 5 employees
#17 ttutc.com 4 employees
#18 cosmoscures.com 4 employees
#19 zsthost.com 4 employees
#20 firstmail.ltd 4 employees
#21 mweb.co.za 4 employees
#22 violet.vn 4 employees
#23 autoincharge.com 4 employees
#24 nos.pt 4 employees
#25 aci-bd.com 4 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 microsoft.com 1 employees
#2 c-a-m.com 1 employees
#3 rockwellautomation.com 1 employees

Compromised users

#1 google.com 1,673 users
#2 facebook.com 1,412 users
#3 netflix.com 648 users
#4 amazon.com 566 users
#5 paypal.com 429 users
#6 apple.com 391 users
#7 ebay.com 90 users
#8 hp.com 66 users
#9 cisco.com 48 users
#10 oracle.com 47 users
#11 microsoft.com 46 users
#12 nike.com 44 users
#13 ibm.com 13 users
#14 westernunion.com 13 users
#15 intel.com 12 users
#16 walmart.com 9 users
#17 fedex.com 8 users
#18 ti.com 7 users
#19 salesforce.com 7 users
#20 americanexpress.com 6 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

752 users

Instagram

instagram.com · com.instagram.android

528 users

Netflix

netflix.com · com.netflix.mediaclient

455 users

Spotify

spotify.com · com.spotify.music

304 users

Roblox

roblox.com · com.roblox.client

290 users

Discord

discord.com · com.discord

281 users

pinterest.com · com.pinterest

229 users

Twitter

twitter.com · com.twitter.android

222 users

Twitch

app.com · tv.twitch.android.app

201 users

#10

Snapchat

snapchat.com · com.snapchat.android

186 users

#11

Wish

contextlogic.com · com.contextlogic.wish

146 users

#12

PayPal

paypal.com · com.paypal.android.p2pmobile

142 users

#13

Mega

app.com · mega.privacy.android.app

120 users

#14

Zoom

videomeetings.com · us.zoom.videomeetings

115 users

#15

linkedin.com · com.linkedin.android

113 users

#16

Xiaomi

xiaomi.com · com.xiaomi.account

93 users

#17

Alibaba

alibaba.com · com.alibaba.aliexpresshd

78 users

#18

Disney

disney.com · com.disney.disneyplus

71 users

#19

Mercadolibre

mercadolibre.com · com.mercadolibre

68 users

#20

Waze

waze.com · com.waze

62 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 70,504 users
#2 hotmail.com 5,828 users
#3 yahoo.com 3,918 users
#4 outlook.com 1,016 users
#5 live.com 674 users
#6 yahoo.co.uk 645 users
#7 icloud.com 474 users
#8 yahoo.co.id 109 users
#9 gmx.com 101 users
#10 hotmail.com.ar 84 users
#11 yahoo.fr 74 users
#12 yahoo.com.br 64 users
#13 mail.com 55 users
#14 msn.com 44 users
#15 proton.me 39 users
#16 mail.ru 38 users
#17 ymail.com 38 users
#18 email.com 35 users
#19 live.com.mx 34 users
#20 live.com.ar 33 users
#21 googlemail.com 32 users
#22 hanmail.net 32 users
#23 yahoo.com.ph 30 users
#24 yahoo.co.in 29 users
#25 protonmail.com 28 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Generic Stealer 1,503machines
#2 Lumma 984machines

Anti-virus Coverage

#1 Windows Defender 1,084machines
#2 Windows Defender [ON] 126machines
#3 None 62machines
#4 Reason Cybersecurity 34machines
#5 Reason Cybersecurity [OFF] 5machines
#6 Malwarebytes [OFF] 4machines
#7 IObit Malware Fighter 2machines
#8 360 Total Security 2machines
#9 McAfee Security 2machines
#10 Avira Security 2machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 7,453hits
#2 sso 1,733hits
#3 zoom 665hits
#4 github 425hits
#5 webmail 398hits
#6 st 152hits
#7 adfs 121hits
#8 sap 117hits
#9 oracle 103hits
#10 vpn 93hits
#11 zendesk 82hits
#12 owa 80hits
#13 cpanel 70hits
#14 roundcube 61hits
#15 ping 57hits
#16 kaspersky 42hits
#17 ftp 39hits
#18 extranet 33hits
#19 sts 33hits
#20 webex 30hits
#21 salesforce 24hits
#22 okta 20hits
#23 gitlab 18hits
#24 jira 13hits
#25 zimbra 11hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

Jun 1 → Jun 8, 2026 13 min

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

16K machines
2K users
273K domains

View report →

May 25 → Jun 1, 2026 13 min

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

18K machines
4K users
259K domains

View report →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

Infostealers Weekly Report: 2025-03-17 – 2025-03-24

Where infections came from

Where users had active sessions

Employees caught in the logs