Infostealers Weekly Report: 2025-04-14 – 2025-04-21
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 916
- #2 Brazil 453
- #3 Vietnam 420
- #4 United States of America 329
- #5 Indonesia 191
- #6 Poland 181
- #7 Pakistan 175
- #8 Philippines 175
- #9 France 156
- #10 Japan 149
- #11 Argentina 122
- #12 Spain 120
- #13 Bangladesh 113
- #14 Turkey 110
- #15 Egypt 104
- #16 Thailand 93
- #17 Colombia 84
- #18 Mexico 73
- #19 South Africa 66
- #20 Netherlands 60
- #21 South Korea 59
- #22 United Kingdom 57
- #23 Algeria 57
- #24 Peru 53
- #25 Morocco 51
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 5,862 users
-
#2
facebook.com 4,442 users
-
#3
netflix.com 3,293 users
-
#4
live.com 3,235 users
-
#5
instagram.com 2,391 users
-
#6
spotify.com 2,004 users
-
#7
amazon.com 1,875 users
-
#8
com.facebook.katana 1,872 users
-
#9
discord.com 1,828 users
-
#10
twitter.com 1,499 users
-
#11
roblox.com 1,456 users
-
#12
com.instagram.android 1,400 users
-
#13
microsoftonline.com 1,321 users
-
#14
paypal.com 1,284 users
-
#15
steampowered.com 1,268 users
-
#16
zoom.us 1,257 users
-
#17
com.netflix.mediaclient 1,161 users
-
#18
apple.com 1,140 users
-
#19
com.pinterest 1,087 users
-
#20
linkedin.com 1,066 users
-
#21
slack.com 1,062 users
-
#22
twitch.tv 1,046 users
-
#23
riotgames.com 984 users
-
#24
github.com 971 users
-
#25
com.spotify.music 964 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 46 employees
-
#2
rediff.com 32 employees
-
#3
intranet.local 32 employees
-
#4
techsolutions.internal 31 employees
-
#5
techwave.internal 31 employees
-
#6
techwave.local 22 employees
-
#7
icicibank.com 22 employees
-
#8
wp.pl 20 employees
-
#9
techsolutions.intern 20 employees
-
#10
corpnet.intern 20 employees
-
#11
example.com 20 employees
-
#12
mail.tm 19 employees
-
#13
techsolutions.local 18 employees
-
#14
firstmail.ltd 17 employees
-
#15
innovate.local 16 employees
-
#16
techflow.intern 15 employees
-
#17
tokyotech.local 13 employees
-
#18
techintern.local 13 employees
-
#19
atlassian.com 12 employees
-
#20
network.intern 12 employees
-
#21
techsol.local 12 employees
-
#22
empresa.intern 12 employees
-
#23
innovatech.intern 12 employees
-
#24
corp.intern 12 employees
-
#25
techflow.internal 12 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
-
#2
microsoft.com 4 employees
-
#3
rockwellautomation.com 3 employees
-
#4
salesforce.com 2 employees
-
#5
cognizant.com 2 employees
-
#6
qualcomm.com 1 employees
-
#7
cisco.com 1 employees
-
#8
emc.com 1 employees
-
#9
-
#10
gs.com 1 employees
-
#11
harman.com 1 employees
-
#12
-
#13
jnj.com 1 employees
-
#14
oracle.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
-
#8
-
#9
ebay.com 192 users
-
#10
-
#11
hp.com 142 users
-
#12
nike.com 134 users
-
#13
-
#14
bankofamerica.com 88 users
-
#15
wellsfargo.com 85 users
-
#16
ups.com 51 users
-
#17
westernunion.com 49 users
-
#18
ibm.com 48 users
-
#19
walmart.com 41 users
-
#20
intel.com 37 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
1,872 users
1,400 users
Netflix
1,161 users
1,087 users
Spotify
964 users
Discord
886 users
Roblox
861 users
Snapchat
628 users
Twitch
621 users
551 users
Wish
431 users
PayPal
312 users
Zoom
300 users
Mega
270 users
255 users
Disney
250 users
Xiaomi
206 users
Mercadolibre
185 users
Alibaba
174 users
Waze
141 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 203,630 users
-
#2
hotmail.com 18,046 users
-
#3
yahoo.com 6,998 users
-
#4
outlook.com 4,768 users
-
#5
icloud.com 1,386 users
-
#6
-
#7
hotmail.fr 762 users
-
#8
msn.com 455 users
-
#9
libero.it 422 users
-
#10
live.fr 389 users
-
#11
ymail.com 367 users
-
#12
yahoo.fr 300 users
-
#13
web.de 288 users
-
#14
mail.com 284 users
-
#15
mail.ru 260 users
-
#16
hotmail.es 258 users
-
#17
yahoo.co.id 253 users
-
#18
yahoo.it 238 users
-
#19
orange.fr 225 users
-
#20
gmx.de 218 users
-
#21
yahoo.com.br 185 users
-
#22
proton.me 177 users
-
#23
hotmail.it 175 users
-
#24
yahoo.com.sg 121 users
-
#25
yahoo.com.ar 117 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Lumma 5,228machines
- #2 Generic Stealer 3,218machines
Anti-virus Coverage
- #1 Windows Defender 5,453machines
- #2 Windows Defender [ON] 526machines
- #3 None 246machines
- #4 Reason Cybersecurity 150machines
- #5 Bkav Pro Internet Security 39machines
- #6 ESET Security 17machines
- #7 Panda Dome [OFF] 10machines
- #8 Quick Heal Total Security 10machines
- #9 腾讯电脑管家系统防护 9machines
- #10 Reason Cybersecurity [OFF] 8machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 19,810hits
- #2 sso 5,318hits
- #3 zoom 2,094hits
- #4 github 1,463hits
- #5 salesforce 882hits
- #6 webmail 743hits
- #7 adfs 638hits
- #8 vpn 357hits
- #9 oracle 355hits
- #10 cpanel 345hits
- #11 zendesk 322hits
- #12 owa 310hits
- #13 sap 231hits
- #14 sts 181hits
- #15 ping 170hits
- #16 kaspersky 131hits
- #17 roundcube 111hits
- #18 ftp 100hits
- #19 st 99hits
- #20 imap 80hits
- #21 webex 79hits
- #22 extranet 74hits
- #23 gitlab 65hits
- #24 twilio 64hits
- #25 okta 61hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Infostealers Weekly Report: 2026-04-27 – 2026-05-04
- 14K machines
- 4K users
- 186K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.