Skip to content
INFOSTEALERS By HudsonRock
Weekly intelligence Apr 21 – Apr 28, 2025 12 min read

Infostealers Weekly Report: 2025-04-21 – 2025-04-28

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 13,542 Compromised Machines
#2 3,096 Compromised Employees
#3 3,492 Compromised Users
#4 6,954 Compromised Androids
#5 140,520 Compromised Domains
Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 163
Infections by country

Top 25 countries

  1. #1 India 843
  2. #2 Vietnam 685
  3. #3 Brazil 572
  4. #4 United States of America 394
  5. #5 Philippines 352
  6. #6 Indonesia 278
  7. #7 Pakistan 268
  8. #8 Bangladesh 206
  9. #9 Poland 189
  10. #10 Turkey 183
  11. #11 Argentina 169
  12. #12 France 147
  13. #13 Egypt 140
  14. #14 South Africa 132
  15. #15 Mexico 125
  16. #16 Thailand 109
  17. #17 Spain 109
  18. #18 Germany 107
  19. #19 Colombia 101
  20. #20 Japan 89
  21. #21 Morocco 83
  22. #22 Romania 76
  23. #23 Algeria 70
  24. #24 Kenya 69
  25. #25 United Kingdom 68

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25
  1. #1 google.com 8,869 users
  2. #2 facebook.com 6,908 users
  3. #3 live.com 5,827 users
  4. #4 instagram.com 4,008 users
  5. #5 discord.com 3,954 users
  6. #6 netflix.com 3,666 users
  7. #7 roblox.com 3,440 users
  8. #8 com.facebook.katana 3,344 users
  9. #9 amazon.com 2,707 users
  10. #10 steampowered.com 2,495 users
  11. #11 com.instagram.android 2,419 users
  12. #12 microsoftonline.com 2,393 users
  13. #13 spotify.com 2,304 users
  14. #14 paypal.com 2,228 users
  15. #15 twitter.com 2,206 users
  16. #16 com.netflix.mediaclient 2,135 users
  17. #17 twitch.tv 2,086 users
  18. #18 apple.com 2,020 users
  19. #19 riotgames.com 1,979 users
  20. #20 epicgames.com 1,908 users
  21. #21 com.roblox.client 1,779 users
  22. #22 steamcommunity.com 1,667 users
  23. #23 linkedin.com 1,635 users
  24. #24 com.discord 1,618 users
  25. #25 mega.nz 1,499 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25
  1. #1 firstmail.ltd 54 employees
  2. #2 hostinger.com 53 employees
  3. #3 icicibank.com 51 employees
  4. #4 wp.pl 47 employees
  5. #5 rediff.com 32 employees
  6. #6 onet.pl 24 employees
  7. #7 qq.com 17 employees
  8. #8 zsthost.com 16 employees
  9. #9 unionbankonline.co.in 16 employees
  10. #10 buenosaires.gob.ar 16 employees
  11. #11 bluehost.com 15 employees
  12. #12 interia.pl 15 employees
  13. #13 freemail.hu 15 employees
  14. #14 alxswe.com 15 employees
  15. #15 concentrix.com 14 employees
  16. #16 deped.gov.ph 13 employees
  17. #17 secureserver.net 13 employees
  18. #18 163.com 13 employees
  19. #19 meljus.co.ke 12 employees
  20. #20 pekylazinvestltd.co.ke 12 employees
  21. #21 billsmillsmerchandise.co.ke 12 employees
  22. #22 avila.co.ke 12 employees
  23. #23 coxwell.co.ke 12 employees
  24. #24 kenyaweb.com 12 employees
  25. #25 india.com 12 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

  1. #1 microsoft.com 11 employees
  2. #2 rockwellautomation.com 6 employees
  3. #3 cablevision.com 3 employees
  4. #4 twc.com 3 employees
  5. #5 oracle.com 3 employees
  6. #6 cognizant.com 2 employees
  7. #7 frontier.com 2 employees
  8. #8 firstam.com 2 employees
  9. #9 essendant.com 2 employees
  10. #10 publix.com 1 employees
  11. #11 hp.com 1 employees
  12. #12 ingredion.com 1 employees
  13. #13 cbre.com 1 employees
  14. #14 cisco.com 1 employees
  15. #15 williams.com 1 employees
  16. #16 nike.com 1 employees
  17. #17 bakerhughes.com 1 employees
  18. #18 centurylink.com 1 employees

Compromised users

  1. #1 google.com 8,869 users
  2. #2 facebook.com 6,908 users
  3. #3 netflix.com 3,666 users
  4. #4 amazon.com 2,707 users
  5. #5 paypal.com 2,228 users
  6. #6 apple.com 2,020 users
  7. #7 ebay.com 393 users
  8. #8 microsoft.com 354 users
  9. #9 oracle.com 295 users
  10. #10 nike.com 260 users
  11. #11 hp.com 249 users
  12. #12 salesforce.com 198 users
  13. #13 cisco.com 152 users
  14. #14 walmart.com 146 users
  15. #15 ibm.com 100 users
  16. #16 ups.com 97 users
  17. #17 bestbuy.com 75 users
  18. #18 fedex.com 74 users
  19. #19 adp.com 66 users
  20. #20 wellsfargo.com 63 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20
#1

Facebook

facebook.com · com.facebook.katana

3,344 users

#2

Instagram

instagram.com · com.instagram.android

2,419 users

#3

Netflix

netflix.com · com.netflix.mediaclient

2,135 users

#4

Roblox

roblox.com · com.roblox.client

1,779 users

#5

Discord

discord.com · com.discord

1,618 users

#6

Pinterest

pinterest.com · com.pinterest

1,494 users

#7

Spotify

spotify.com · com.spotify.music

1,480 users

#8

Twitch

app.com · tv.twitch.android.app

1,126 users

#9

Snapchat

snapchat.com · com.snapchat.android

1,016 users

#10

Twitter

twitter.com · com.twitter.android

857 users

#11

Wish

contextlogic.com · com.contextlogic.wish

786 users

#12

Zoom

videomeetings.com · us.zoom.videomeetings

537 users

#13

PayPal

paypal.com · com.paypal.android.p2pmobile

526 users

#14

Mega

app.com · mega.privacy.android.app

471 users

#15

LinkedIn

linkedin.com · com.linkedin.android

458 users

#16

Xiaomi

xiaomi.com · com.xiaomi.account

371 users

#17

Disney

disney.com · com.disney.disneyplus

369 users

#18

Mercadolibre

mercadolibre.com · com.mercadolibre

322 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

282 users

#20

Waze

waze.com · com.waze

247 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25
  1. #1 gmail.com 386,126 users
  2. #2 hotmail.com 27,816 users
  3. #3 yahoo.com 18,261 users
  4. #4 outlook.com 11,239 users
  5. #5 icloud.com 2,851 users
  6. #6 live.com 2,527 users
  7. #7 msn.com 870 users
  8. #8 aol.com 757 users
  9. #9 protonmail.com 694 users
  10. #10 yahoo.com.ar 692 users
  11. #11 yahoo.com.br 612 users
  12. #12 yahoo.fr 606 users
  13. #13 ymail.com 576 users
  14. #14 live.fr 574 users
  15. #15 hotmail.fr 561 users
  16. #16 mail.com 508 users
  17. #17 web.de 494 users
  18. #18 rocketmail.com 392 users
  19. #19 free.fr 376 users
  20. #20 gmx.com 322 users
  21. #21 proton.me 309 users
  22. #22 yahoo.co.in 289 users
  23. #23 hotmail.es 277 users
  24. #24 hotmail.de 250 users
  25. #25 yahoo.co.id 248 users

Top Compromised Social Platforms

Where saved sessions and logins lived

Social media services where compromised accounts had stored sessions or saved logins.

Top 19
  1. #1 facebook.com 6,908 accounts
  2. #2 twitter.com 2,206 accounts
  3. #3 instagram.com 4,008 accounts
  4. #4 linkedin.com 1,635 accounts
  5. #5 pinterest.com 648 accounts
  6. #6 tiktok.com 977 accounts
  7. #7 snapchat.com 712 accounts
  8. #8 reddit.com 388 accounts
  9. #9 youtube.com 63 accounts
  10. #10 weibo.com 20 accounts
  11. #11 vk.com 346 accounts
  12. #12 telegram.org 33 accounts
  13. #13 tumblr.com 187 accounts
  14. #14 discord.com 3,954 accounts
  15. #15 flickr.com 112 accounts
  16. #16 myspace.com 26 accounts
  17. #17 badoo.com 50 accounts
  18. #18 meetup.com 16 accounts
  19. #19 quora.com 42 accounts

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

  1. #1 Lumma 7,149machines
  2. #2 Generic Stealer 5,789machines
  3. #3 Vidar 604machines

Anti-virus Coverage

  1. #1 Windows Defender 6,319machines
  2. #2 Disabled 604machines
  3. #3 Windows Defender [ON] 600machines
  4. #4 None 345machines
  5. #5 Reason Cybersecurity 132machines
  6. #6 Bkav Pro Internet Security 68machines
  7. #7 Malwarebytes [OFF] 24machines
  8. #8 Reason Cybersecurity [OFF] 24machines
  9. #9 McAfee 24machines
  10. #10 360 Total Security 21machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25
  1. #1 auth 53,087hits
  2. #2 sso 10,034hits
  3. #3 zoom 3,171hits
  4. #4 github 2,338hits
  5. #5 webmail 1,240hits
  6. #6 adfs 973hits
  7. #7 sap 798hits
  8. #8 oracle 687hits
  9. #9 vpn 649hits
  10. #10 zendesk 516hits
  11. #11 salesforce 414hits
  12. #12 ping 380hits
  13. #13 cpanel 368hits
  14. #14 owa 362hits
  15. #15 sts 355hits
  16. #16 kaspersky 189hits
  17. #17 st 188hits
  18. #18 webex 168hits
  19. #19 okta 162hits
  20. #20 ftp 149hits
  21. #21 roundcube 145hits
  22. #22 imap 145hits
  23. #23 jira 135hits
  24. #24 extranet 130hits
  25. #25 twilio 127hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →
Jun 1 → Jun 8, 2026 13 min

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

  • 16K machines
  • 2K users
  • 273K domains
View report →
May 25 → Jun 1, 2026 13 min

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

  • 18K machines
  • 4K users
  • 259K domains
View report →
May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

  • 14K machines
  • 4K users
  • 187K domains
View report →
Free Tools Check your exposure