Skip to content
INFOSTEALERS By HudsonRock
Weekly intelligence May 19 – May 26, 2025 11 min read

Infostealers Weekly Report: 2025-05-19 – 2025-05-26

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 2,858 Compromised Machines
#2 712 Compromised Employees
#3 485 Compromised Users
#4 1,661 Compromised Androids
#5 44,497 Compromised Domains
Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 133
Infections by country

Top 25 countries

  1. #1 India 296
  2. #2 Philippines 164
  3. #3 Brazil 159
  4. #4 Indonesia 103
  5. #5 Vietnam 98
  6. #6 Argentina 75
  7. #7 Pakistan 74
  8. #8 South Africa 55
  9. #9 Bangladesh 53
  10. #10 Turkey 34
  11. #11 Malaysia 33
  12. #12 Romania 32
  13. #13 Colombia 32
  14. #14 Mexico 32
  15. #15 Algeria 31
  16. #16 Kenya 30
  17. #17 Portugal 27
  18. #18 Thailand 26
  19. #19 Sri Lanka 24
  20. #20 Serbia 23
  21. #21 United States of America 21
  22. #22 Egypt 21
  23. #23 Chile 21
  24. #24 Morocco 21
  25. #25 Nepal 18

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25
  1. #1 google.com 1,904 users
  2. #2 facebook.com 1,609 users
  3. #3 live.com 1,375 users
  4. #4 instagram.com 905 users
  5. #5 com.facebook.katana 860 users
  6. #6 netflix.com 859 users
  7. #7 amazon.com 720 users
  8. #8 discord.com 709 users
  9. #9 com.instagram.android 638 users
  10. #10 com.netflix.mediaclient 592 users
  11. #11 paypal.com 584 users
  12. #12 twitter.com 567 users
  13. #13 apple.com 544 users
  14. #14 roblox.com 516 users
  15. #15 steampowered.com 509 users
  16. #16 linkedin.com 509 users
  17. #17 microsoftonline.com 495 users
  18. #18 com.pinterest 472 users
  19. #19 spotify.com 451 users
  20. #20 192.168.1.1 422 users
  21. #21 mega.nz 411 users
  22. #22 yahoo.com 393 users
  23. #23 github.com 389 users
  24. #24 twitch.tv 384 users
  25. #25 com.spotify.music 367 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25
  1. #1 icicibank.com 23 employees
  2. #2 hostinger.com 21 employees
  3. #3 rediff.com 18 employees
  4. #4 buenosaires.gob.ar 11 employees
  5. #5 deped.gov.ph 9 employees
  6. #6 secureserver.net 8 employees
  7. #7 firstmail.ltd 8 employees
  8. #8 indusind.com 8 employees
  9. #9 bcb.gov.br 8 employees
  10. #10 axxesslocal.co.za 7 employees
  11. #11 yahoosmallbusiness.com 7 employees
  12. #12 1govuc.gov.my 7 employees
  13. #13 ns.gov.my 7 employees
  14. #14 justhost.com 6 employees
  15. #15 sempreser.com.br 6 employees
  16. #16 127.0.0.1 6 employees
  17. #17 santander.com.br 5 employees
  18. #18 onlinesbi.com 5 employees
  19. #19 abv.bg 5 employees
  20. #20 cnpq.br 5 employees
  21. #21 alxswe.com 5 employees
  22. #22 kakao.com 5 employees
  23. #23 accenture.com 5 employees
  24. #24 xfdw163.com 4 employees
  25. #25 hipro.co.zw 4 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

  1. #1 rockwellautomation.com 2 employees
  2. #2 cognizant.com 2 employees
  3. #3 hp.com 1 employees
  4. #4 marathonoil.com 1 employees
  5. #5 microsoft.com 1 employees

Compromised users

  1. #1 google.com 1,904 users
  2. #2 facebook.com 1,609 users
  3. #3 netflix.com 859 users
  4. #4 amazon.com 720 users
  5. #5 paypal.com 584 users
  6. #6 apple.com 544 users
  7. #7 ebay.com 134 users
  8. #8 oracle.com 91 users
  9. #9 hp.com 78 users
  10. #10 nike.com 70 users
  11. #11 microsoft.com 67 users
  12. #12 cisco.com 49 users
  13. #13 walmart.com 39 users
  14. #14 ibm.com 27 users
  15. #15 ups.com 23 users
  16. #16 westernunion.com 21 users
  17. #17 broadcom.com 18 users
  18. #18 intel.com 18 users
  19. #19 adp.com 17 users
  20. #20 bestbuy.com 17 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20
#1

Facebook

facebook.com · com.facebook.katana

860 users

#2

Instagram

instagram.com · com.instagram.android

638 users

#3

Netflix

netflix.com · com.netflix.mediaclient

592 users

#4

Pinterest

pinterest.com · com.pinterest

472 users

#5

Spotify

spotify.com · com.spotify.music

367 users

#6

Discord

discord.com · com.discord

353 users

#7

Roblox

roblox.com · com.roblox.client

345 users

#8

Snapchat

snapchat.com · com.snapchat.android

263 users

#9

Twitter

twitter.com · com.twitter.android

258 users

#10

Twitch

app.com · tv.twitch.android.app

213 users

#11

Wish

contextlogic.com · com.contextlogic.wish

199 users

#12

PayPal

paypal.com · com.paypal.android.p2pmobile

160 users

#13

Zoom

videomeetings.com · us.zoom.videomeetings

148 users

#14

LinkedIn

linkedin.com · com.linkedin.android

123 users

#15

Xiaomi

xiaomi.com · com.xiaomi.account

120 users

#16

Mega

app.com · mega.privacy.android.app

115 users

#17

Disney

disney.com · com.disney.disneyplus

114 users

#18

Mercadolibre

mercadolibre.com · com.mercadolibre

107 users

#19

Waze

waze.com · com.waze

105 users

#20

Alibaba

alibaba.com · com.alibaba.aliexpresshd

71 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25
  1. #1 gmail.com 99,443 users
  2. #2 hotmail.com 9,702 users
  3. #3 yahoo.com 7,573 users
  4. #4 outlook.com 2,085 users
  5. #5 gmx.com 1,031 users
  6. #6 yahoo.com.br 651 users
  7. #7 live.com 622 users
  8. #8 icloud.com 534 users
  9. #9 msn.com 399 users
  10. #10 yahoo.fr 351 users
  11. #11 hotmail.fr 310 users
  12. #12 ymail.com 243 users
  13. #13 yahoo.it 191 users
  14. #14 terra.com.br 182 users
  15. #15 yahoo.co.in 150 users
  16. #16 hotmail.com.ar 131 users
  17. #17 aol.com 129 users
  18. #18 email.com 116 users
  19. #19 yahoo.com.ar 104 users
  20. #20 me.com 81 users
  21. #21 yandex.com 80 users
  22. #22 proton.me 79 users
  23. #23 facebook.com 75 users
  24. #24 protonmail.com 72 users
  25. #25 outlook.com.br 70 users

Top Compromised Social Platforms

Where saved sessions and logins lived

Social media services where compromised accounts had stored sessions or saved logins.

Top 19
  1. #1 facebook.com 1,609 accounts
  2. #2 twitter.com 567 accounts
  3. #3 instagram.com 905 accounts
  4. #4 linkedin.com 509 accounts
  5. #5 pinterest.com 166 accounts
  6. #6 tiktok.com 196 accounts
  7. #7 snapchat.com 141 accounts
  8. #8 reddit.com 94 accounts
  9. #9 youtube.com 16 accounts
  10. #10 weibo.com 31 accounts
  11. #11 vk.com 92 accounts
  12. #12 telegram.org 4 accounts
  13. #13 tumblr.com 65 accounts
  14. #14 discord.com 709 accounts
  15. #15 flickr.com 46 accounts
  16. #16 myspace.com 1 accounts
  17. #17 badoo.com 23 accounts
  18. #18 meetup.com 7 accounts
  19. #19 quora.com 15 accounts

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

  1. #1 Lumma 2,542machines
  2. #2 Generic Stealer 316machines

Anti-virus Coverage

  1. #1 Windows Defender 1,481machines
  2. #2 Windows Defender [ON] 194machines
  3. #3 None 152machines
  4. #4 Reason Cybersecurity 33machines
  5. #5 Malwarebytes [OFF] 13machines
  6. #6 Avast Antivirus 9machines
  7. #7 Reason Cybersecurity [OFF] 5machines
  8. #8 Norton 360 4machines
  9. #9 PC Tools Spyware Doctor with AntiVirus [OFF] 3machines
  10. #10 Bkav Pro Internet Security 3machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25
  1. #1 auth 9,488hits
  2. #2 sso 2,320hits
  3. #3 zoom 723hits
  4. #4 github 642hits
  5. #5 webmail 485hits
  6. #6 adfs 253hits
  7. #7 oracle 178hits
  8. #8 zendesk 128hits
  9. #9 cpanel 123hits
  10. #10 sts 121hits
  11. #11 sap 116hits
  12. #12 owa 116hits
  13. #13 vpn 97hits
  14. #14 webex 85hits
  15. #15 kaspersky 69hits
  16. #16 ping 59hits
  17. #17 imap 58hits
  18. #18 roundcube 49hits
  19. #19 salesforce 49hits
  20. #20 ftp 39hits
  21. #21 twilio 38hits
  22. #22 st 38hits
  23. #23 okta 33hits
  24. #24 extranet 23hits
  25. #25 jira 17hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →
May 25 → Jun 1, 2026 13 min

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

  • 18K machines
  • 4K users
  • 259K domains
View report →
May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

  • 14K machines
  • 4K users
  • 187K domains
View report →
May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

  • 25K machines
  • 2K users
  • 319K domains
View report →
Free Tools Check your exposure