Weekly intelligence May 26 – Jun 2, 2025 12 min read

Infostealers Weekly Report: 2025-05-26 – 2025-06-02

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 6,743 Compromised Machines

#2 1,641 Compromised Employees

#3 1,227 Compromised Users

#4 3,875 Compromised Androids

#5 113,579 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 156

Infections by country

Top 25 countries

#1 India 784
#2 Brazil 402
#3 Philippines 335
#4 Indonesia 265
#5 Vietnam 212
#6 United States of America 212
#7 Argentina 178
#8 Pakistan 163
#9 South Africa 128
#10 Egypt 126
#11 Mexico 119
#12 Thailand 114
#13 Turkey 105
#14 Germany 102
#15 France 101
#16 Colombia 91
#17 Algeria 87
#18 Bangladesh 86
#19 Kenya 85
#20 Morocco 74
#21 Peru 73
#22 Romania 67
#23 Spain 60
#24 Italy 52
#25 Portugal 51

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 4,385 users
#2 facebook.com 3,622 users
#3 live.com 3,390 users
#4 instagram.com 2,320 users
#5 netflix.com 2,017 users
#6 discord.com 2,008 users
#7 com.facebook.katana 2,005 users
#8 amazon.com 1,767 users
#9 roblox.com 1,606 users
#10 com.instagram.android 1,507 users
#11 paypal.com 1,495 users
#12 steampowered.com 1,425 users
#13 com.netflix.mediaclient 1,379 users
#14 twitter.com 1,376 users
#15 apple.com 1,278 users
#16 microsoftonline.com 1,258 users
#17 spotify.com 1,229 users
#18 twitch.tv 1,221 users
#19 linkedin.com 1,107 users
#20 t.me 1,102 users
#21 com.pinterest 1,070 users
#22 com.spotify.music 1,062 users
#23 epicgames.com 1,041 users
#24 riotgames.com 1,038 users
#25 mega.nz 949 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 hostinger.com 44 employees
#2 icicibank.com 42 employees
#3 firstmail.ltd 26 employees
#4 bluehost.com 17 employees
#5 buenosaires.gob.ar 16 employees
#6 icai.org 14 employees
#7 rediff.com 14 employees
#8 unionbankonline.co.in 11 employees
#9 aruba.it 10 employees
#10 abv.bg 10 employees
#11 sapo.pt 10 employees
#12 web-hosting.com 9 employees
#13 hostgator.com.br 8 employees
#14 exssi.com 8 employees
#15 one.com 8 employees
#16 accenture.com 8 employees
#17 mail.tm 8 employees
#18 donpingroup.com 8 employees
#19 pnbibanking.in 7 employees
#20 163.com 7 employees
#21 interia.pl 7 employees
#22 webmail.co.za 7 employees
#23 watchit.com 7 employees
#24 concentrix.com 7 employees
#25 dreamhost.com 7 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 rockwellautomation.com 3 employees
#2 cognizant.com 2 employees
#3 microsoft.com 2 employees
#4 jll.com 2 employees
#5 publix.com 2 employees
#6 ibm.com 2 employees
#7 amazon.com 1 employees
#8 ebay.com 1 employees
#9 netflix.com 1 employees
#10 regions.com 1 employees
#11 verizon.com 1 employees
#12 harman.com 1 employees
#13 emerson.com 1 employees
#14 jpmorganchase.com 1 employees
#15 disney.com 1 employees
#16 xerox.com 1 employees
#17 mckesson.com 1 employees
#18 honeywell.com 1 employees
#19 att.com 1 employees

Compromised users

#1 google.com 4,385 users
#2 facebook.com 3,622 users
#3 netflix.com 2,017 users
#4 amazon.com 1,767 users
#5 paypal.com 1,495 users
#6 apple.com 1,278 users
#7 ebay.com 299 users
#8 oracle.com 193 users
#9 hp.com 185 users
#10 nike.com 172 users
#11 microsoft.com 147 users
#12 cisco.com 120 users
#13 walmart.com 79 users
#14 ibm.com 69 users
#15 westernunion.com 58 users
#16 ups.com 57 users
#17 fedex.com 37 users
#18 broadcom.com 35 users
#19 adp.com 35 users
#20 intel.com 34 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

2,005 users

Instagram

instagram.com · com.instagram.android

1,507 users

Netflix

netflix.com · com.netflix.mediaclient

1,379 users

pinterest.com · com.pinterest

1,070 users

Spotify

spotify.com · com.spotify.music

1,062 users

Discord

discord.com · com.discord

932 users

Roblox

roblox.com · com.roblox.client

889 users

Twitch

app.com · tv.twitch.android.app

717 users

Snapchat

snapchat.com · com.snapchat.android

648 users

#10

Twitter

twitter.com · com.twitter.android

637 users

#11

Wish

contextlogic.com · com.contextlogic.wish

514 users

#12

PayPal

paypal.com · com.paypal.android.p2pmobile

407 users

#13

linkedin.com · com.linkedin.android

333 users

#14

Zoom

videomeetings.com · us.zoom.videomeetings

328 users

#15

Disney

disney.com · com.disney.disneyplus

292 users

#16

Mega

app.com · mega.privacy.android.app

275 users

#17

Waze

waze.com · com.waze

234 users

#18

Xiaomi

xiaomi.com · com.xiaomi.account

221 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

215 users

#20

Mercadolibre

mercadolibre.com · com.mercadolibre

205 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 234,014 users
#2 hotmail.com 20,959 users
#3 yahoo.com 13,001 users
#4 outlook.com 5,398 users
#5 icloud.com 1,408 users
#6 hotmail.it 1,333 users
#7 live.com 1,188 users
#8 hotmail.fr 755 users
#9 ymail.com 736 users
#10 yahoo.fr 658 users
#11 msn.com 583 users
#12 aol.com 544 users
#13 libero.it 508 users
#14 mail.com 490 users
#15 gmx.de 424 users
#16 yahoo.com.br 396 users
#17 hotmail.es 350 users
#18 live.fr 347 users
#19 gmx.com 321 users
#20 yahoo.co.id 307 users
#21 yahoo.com.ar 306 users
#22 laposte.net 298 users
#23 hotmail.com.br 279 users
#24 yahoo.co.in 227 users
#25 proton.me 224 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Lumma 5,316machines
#2 Generic Stealer 1,427machines

Anti-virus Coverage

#1 Windows Defender 3,463machines
#2 Windows Defender [ON] 459machines
#3 None 247machines
#4 Reason Cybersecurity 145machines
#5 Kaspersky 18machines
#6 Malwarebytes 17machines
#7 Malwarebytes [OFF] 15machines
#8 Reason Cybersecurity [OFF] 13machines
#9 ESET Security 12machines
#10 Norton Security 8machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 24,307hits
#2 sso 5,292hits
#3 zoom 1,753hits
#4 github 1,405hits
#5 webmail 954hits
#6 adfs 633hits
#7 oracle 530hits
#8 sap 460hits
#9 zendesk 344hits
#10 vpn 316hits
#11 cpanel 290hits
#12 owa 252hits
#13 ping 214hits
#14 sts 195hits
#15 roundcube 175hits
#16 extranet 141hits
#17 okta 138hits
#18 kaspersky 122hits
#19 imap 112hits
#20 ftp 104hits
#21 st 93hits
#22 webex 88hits
#23 salesforce 81hits
#24 gitlab 59hits
#25 twilio 52hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

May 25 → Jun 1, 2026 13 min

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

18K machines
4K users
259K domains

View report →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

25K machines
2K users
319K domains

View report →

Infostealers Weekly Report: 2025-05-26 – 2025-06-02

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Pinterest

Spotify

Discord

Roblox

Twitch

Snapchat

Twitter

Wish

PayPal

LinkedIn

Zoom

Disney

Mega

Waze

Xiaomi

Alibaba

Mercadolibre

Email domains tied to compromised credentials

Stealer families & anti-virus coverage

Stealer Families

Anti-virus Coverage

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Pinterest

Spotify

Discord

Roblox

Twitch

Snapchat

Twitter

Wish

PayPal

LinkedIn

Zoom

Disney

Mega

Waze

Xiaomi

Alibaba

Mercadolibre

Email domains tied to compromised credentials

Where saved sessions and logins lived

Stealer families & anti-virus coverage

Stealer Families

Anti-virus Coverage

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

Infostealers Weekly Report: 2026-05-11 – 2026-05-18