Infostealers Weekly Report: 2025-06-02 – 2025-06-09
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 1,892
- #2 Brazil 721
- #3 Indonesia 582
- #4 Thailand 530
- #5 Vietnam 439
- #6 Philippines 411
- #7 Pakistan 346
- #8 France 331
- #9 Mexico 330
- #10 Argentina 329
- #11 Spain 323
- #12 Egypt 302
- #13 Turkey 249
- #14 Colombia 239
- #15 Bangladesh 227
- #16 Germany 201
- #17 South Africa 199
- #18 Poland 198
- #19 Italy 196
- #20 Peru 171
- #21 United Kingdom 167
- #22 Romania 159
- #23 Morocco 158
- #24 Kenya 153
- #25 Algeria 151
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 14,081 users
-
#2
facebook.com 11,785 users
-
#3
live.com 10,595 users
-
#4
instagram.com 6,916 users
-
#5
com.facebook.katana 6,485 users
-
#6
netflix.com 6,102 users
-
#7
amazon.com 5,135 users
-
#8
discord.com 5,069 users
-
#9
com.instagram.android 4,849 users
-
#10
com.netflix.mediaclient 4,470 users
-
#11
paypal.com 4,178 users
-
#12
twitter.com 3,958 users
-
#13
apple.com 3,812 users
-
#14
steampowered.com 3,622 users
-
#15
roblox.com 3,553 users
-
#16
linkedin.com 3,437 users
-
#17
192.168.1.1 3,111 users
-
#18
com.pinterest 3,011 users
-
#19
microsoftonline.com 2,886 users
-
#20
github.com 2,830 users
-
#21
twitch.tv 2,826 users
-
#22
openai.com 2,740 users
-
#23
yahoo.com 2,702 users
-
#24
com.discord 2,679 users
-
#25
epicgames.com 2,627 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
icicibank.com 155 employees
-
#2
hostinger.com 110 employees
-
#3
rediff.com 71 employees
-
#4
wp.pl 66 employees
-
#5
buenosaires.gob.ar 42 employees
-
#6
unionbankonline.co.in 40 employees
-
#7
aruba.it 39 employees
-
#8
163.com 38 employees
-
#9
firstmail.ltd 37 employees
-
#10
watchit.com 37 employees
-
#11
indusind.com 35 employees
-
#12
bobibanking.com 34 employees
-
#13
secureserver.net 32 employees
-
#14
qq.com 28 employees
-
#15
icai.org 28 employees
-
#16
o2.pl 27 employees
-
#17
netpnb.com 26 employees
-
#18
tim.it 26 employees
-
#19
interia.pl 26 employees
-
#20
web-hosting.com 25 employees
-
#21
concentrix.com 23 employees
-
#22
alxswe.com 23 employees
-
#23
sts.net.pk 22 employees
-
#24
freemail.hu 21 employees
-
#25
santander.com.br 21 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 8 employees
-
#2
cognizant.com 7 employees
-
#3
rockwellautomation.com 6 employees
-
#4
cbre.com 5 employees
-
#5
ibm.com 5 employees
-
#6
-
#7
-
#8
xerox.com 3 employees
-
#9
jpmorganchase.com 3 employees
-
#10
ingrammicro.com 2 employees
-
#11
-
#12
halliburton.com 2 employees
-
#13
att.com 2 employees
-
#14
verizon.com 2 employees
-
#15
intel.com 2 employees
-
#16
abbvie.com 1 employees
-
#17
lear.com 1 employees
-
#18
grainger.com 1 employees
-
#19
jnj.com 1 employees
-
#20
ebay.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
-
#8
hp.com 730 users
-
#9
oracle.com 680 users
-
#10
nike.com 527 users
-
#11
-
#12
cisco.com 376 users
-
#13
-
#14
ups.com 220 users
-
#15
walmart.com 197 users
-
#16
westernunion.com 143 users
-
#17
-
#18
broadcom.com 120 users
-
#19
fedex.com 117 users
-
#20
adp.com 107 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
6,485 users
4,849 users
Netflix
4,470 users
3,011 users
Discord
2,679 users
Roblox
2,544 users
Spotify
2,390 users
Snapchat
2,167 users
2,023 users
Twitch
1,906 users
Wish
1,594 users
PayPal
1,220 users
1,094 users
Zoom
1,064 users
Disney
978 users
Mega
978 users
Xiaomi
869 users
Alibaba
741 users
Mercadolibre
674 users
Waze
636 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 744,142 users
-
#2
hotmail.com 71,782 users
-
#3
-
#4
outlook.com 17,279 users
-
#5
-
#6
hotmail.fr 5,119 users
-
#7
icloud.com 4,610 users
-
#8
yahoo.fr 2,055 users
-
#9
web.de 1,849 users
-
#10
libero.it 1,726 users
-
#11
yahoo.com.br 1,592 users
-
#12
orange.fr 1,573 users
-
#13
hotmail.co.uk 1,563 users
-
#14
msn.com 1,447 users
-
#15
yahoo.co.uk 1,447 users
-
#16
yahoo.co.id 1,186 users
-
#17
gmx.de 1,140 users
-
#18
ymail.com 1,072 users
-
#19
proton.me 993 users
-
#20
mail.com 993 users
-
#21
hotmail.es 911 users
-
#22
free.fr 876 users
-
#23
hotmail.it 820 users
-
#24
aol.com 800 users
-
#25
protonmail.com 755 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 11,142machines
- #2 Lumma 10,674machines
Anti-virus Coverage
- #1 Windows Defender 9,344machines
- #2 Windows Defender [ON] 1,039machines
- #3 Reason Cybersecurity 632machines
- #4 None 441machines
- #5 ESET Security 46machines
- #6 Kaspersky 36machines
- #7 Quick Heal Total Security 31machines
- #8 Malwarebytes [OFF] 26machines
- #9 Reason Cybersecurity [OFF] 24machines
- #10 알약 23machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 78,424hits
- #2 sso 21,998hits
- #3 zoom 5,636hits
- #4 github 4,774hits
- #5 webmail 2,664hits
- #6 oracle 1,492hits
- #7 adfs 1,484hits
- #8 sap 1,397hits
- #9 zendesk 1,070hits
- #10 vpn 857hits
- #11 cpanel 781hits
- #12 ping 759hits
- #13 sts 617hits
- #14 owa 540hits
- #15 kaspersky 518hits
- #16 imap 450hits
- #17 extranet 449hits
- #18 ftp 403hits
- #19 webex 397hits
- #20 salesforce 370hits
- #21 st 361hits
- #22 roundcube 254hits
- #23 twilio 231hits
- #24 okta 229hits
- #25 gitlab 207hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.