Infostealers Weekly Report: 2025-03-24 – 2025-03-31
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 Brazil 873
- #2 India 832
- #3 France 696
- #4 Vietnam 674
- #5 United States of America 662
- #6 Philippines 537
- #7 Indonesia 469
- #8 Germany 446
- #9 Italy 382
- #10 United Kingdom 376
- #11 Turkey 359
- #12 Bangladesh 326
- #13 Spain 319
- #14 Pakistan 293
- #15 Argentina 286
- #16 Poland 280
- #17 Thailand 217
- #18 Romania 188
- #19 Mexico 184
- #20 Peru 168
- #21 Egypt 153
- #22 Colombia 149
- #23 Algeria 138
- #24 Malaysia 137
- #25 Netherlands 124
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 10,128 users
-
#2
facebook.com 8,262 users
-
#3
live.com 7,898 users
-
#4
discord.com 5,862 users
-
#5
roblox.com 5,193 users
-
#6
instagram.com 5,065 users
-
#7
netflix.com 4,750 users
-
#8
com.facebook.katana 4,309 users
-
#9
paypal.com 4,101 users
-
#10
steampowered.com 4,071 users
-
#11
amazon.com 3,688 users
-
#12
twitch.tv 3,679 users
-
#13
epicgames.com 3,297 users
-
#14
com.instagram.android 3,137 users
-
#15
steamcommunity.com 3,063 users
-
#16
riotgames.com 3,052 users
-
#17
twitter.com 3,024 users
-
#18
com.netflix.mediaclient 2,972 users
-
#19
apple.com 2,851 users
-
#20
spotify.com 2,819 users
-
#21
com.roblox.client 2,613 users
-
#22
com.discord 2,483 users
-
#23
rockstargames.com 2,296 users
-
#24
microsoftonline.com 2,265 users
-
#25
mega.nz 2,036 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
firstmail.ltd 94 employees
-
#2
aruba.it 68 employees
-
#3
wp.pl 64 employees
-
#4
hostinger.com 51 employees
-
#5
tim.it 48 employees
-
#6
pec.it 43 employees
-
#7
rediff.com 37 employees
-
#8
icicibank.com 37 employees
-
#9
onet.pl 24 employees
-
#10
seznam.cz 22 employees
-
#11
buenosaires.gob.ar 21 employees
-
#12
rmunify.com 20 employees
-
#13
mail.tm 20 employees
-
#14
o2.pl 19 employees
-
#15
deped.gov.ph 19 employees
-
#16
concentrix.com 19 employees
-
#17
confused.com 18 employees
-
#18
163.com 17 employees
-
#19
zsthost.com 16 employees
-
#20
freemail.hu 15 employees
-
#21
interia.pl 15 employees
-
#22
unionbankonline.co.in 15 employees
-
#23
naver.com 14 employees
-
#24
kakao.com 14 employees
-
#25
infocert.it 14 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 14 employees
-
#2
-
#3
rockwellautomation.com 3 employees
-
#4
hp.com 2 employees
-
#5
ibm.com 2 employees
-
#6
pepsico.com 2 employees
-
#7
ups.com 2 employees
-
#8
-
#9
publix.com 1 employees
-
#10
wellcare.com 1 employees
-
#11
jacobs.com 1 employees
-
#12
chs.net 1 employees
-
#13
jpmorganchase.com 1 employees
-
#14
abbott.com 1 employees
-
#15
ford.com 1 employees
-
#16
twc.com 1 employees
-
#17
salesforce.com 1 employees
-
#18
bestbuy.com 1 employees
-
#19
cognizant.com 1 employees
-
#20
uhsinc.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
nike.com 508 users
-
#8
ebay.com 507 users
-
#9
-
#10
oracle.com 344 users
-
#11
-
#12
-
#13
cisco.com 208 users
-
#14
walmart.com 178 users
-
#15
westernunion.com 146 users
-
#16
fedex.com 120 users
-
#17
-
#18
intel.com 95 users
-
#19
adp.com 95 users
-
#20
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,309 users
3,137 users
Netflix
2,972 users
Roblox
2,613 users
Discord
2,483 users
Twitch
2,022 users
1,969 users
Spotify
1,957 users
Snapchat
1,390 users
1,299 users
Wish
1,224 users
PayPal
1,092 users
Disney
849 users
Mega
695 users
Zoom
547 users
538 users
Xiaomi
516 users
Alibaba
440 users
Waze
431 users
Mercadolibre
415 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 523,153 users
-
#2
hotmail.com 54,764 users
-
#3
yahoo.com 20,575 users
-
#4
outlook.com 14,910 users
-
#5
icloud.com 5,629 users
-
#6
web.de 5,057 users
-
#7
hotmail.fr 4,989 users
-
#8
-
#9
hotmail.it 2,593 users
-
#10
googlemail.com 2,491 users
-
#11
hotmail.co.uk 2,248 users
-
#12
libero.it 2,111 users
-
#13
gmx.de 1,968 users
-
#14
yahoo.fr 1,870 users
-
#15
msn.com 1,635 users
-
#16
alice.it 1,515 users
-
#17
free.fr 1,466 users
-
#18
orange.fr 1,465 users
-
#19
live.fr 1,265 users
-
#20
hotmail.es 1,211 users
-
#21
aol.com 1,018 users
-
#22
comcast.net 944 users
-
#23
tiscali.it 923 users
-
#24
yahoo.co.uk 887 users
-
#25
yahoo.com.br 884 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Lumma 9,610machines
- #2 Generic Stealer 4,416machines
- #3 Vidar 597machines
- #4 DarkCrystal 2machines
Anti-virus Coverage
- #1 Windows Defender 3,316machines
- #2 Disabled 597machines
- #3 Windows Defender [ON] 433machines
- #4 None 216machines
- #5 Reason Cybersecurity 152machines
- #6 Malwarebytes [OFF] 18machines
- #7 Reason Cybersecurity [OFF] 16machines
- #8 Bkav Pro Internet Security 14machines
- #9 Avira Security 11machines
- #10 Avast Antivirus 10machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 53,980hits
- #2 sso 12,899hits
- #3 zoom 2,969hits
- #4 github 2,813hits
- #5 sap 1,689hits
- #6 webmail 1,561hits
- #7 adfs 1,349hits
- #8 oracle 916hits
- #9 zendesk 799hits
- #10 vpn 613hits
- #11 sts 530hits
- #12 ping 457hits
- #13 cpanel 423hits
- #14 owa 423hits
- #15 extranet 306hits
- #16 kaspersky 258hits
- #17 ftp 254hits
- #18 st 243hits
- #19 imap 226hits
- #20 roundcube 225hits
- #21 webex 212hits
- #22 okta 188hits
- #23 salesforce 169hits
- #24 twilio 115hits
- #25 zimbra 99hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.