Weekly intelligence Jul 28 – Aug 4, 2025 11 min read

Infostealers Weekly Report: 2025-07-28 – 2025-08-04

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 5,233 Compromised Machines

#2 590 Compromised Employees

#3 2,494 Compromised Users

#4 2,149 Compromised Androids

#5 41,920 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 128

Infections by country

Top 25 countries

#1 India 671
#2 Bangladesh 242
#3 Pakistan 190
#4 Indonesia 153
#5 Philippines 86
#6 Mexico 74
#7 Egypt 66
#8 Vietnam 61
#9 Nigeria 60
#10 Argentina 57
#11 Kenya 56
#12 Brazil 53
#13 Colombia 50
#14 Spain 44
#15 South Africa 42
#16 United States of America 38
#17 Algeria 37
#18 Morocco 36
#19 Ethiopia 31
#20 Madagascar 31
#21 United Arab Emirates 30
#22 Turkey 28
#23 Nepal 27
#24 Côte d’Ivoire 26
#25 Ecuador 24

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 2,247 users
#2 facebook.com 1,996 users
#3 live.com 1,373 users
#4 com.facebook.katana 1,221 users
#5 instagram.com 864 users
#6 apple.com 861 users
#7 mega.nz 775 users
#8 com.instagram.android 734 users
#9 netflix.com 698 users
#10 unlocktool.net 689 users
#11 amazon.com 649 users
#12 192.168.1.1 635 users
#13 com.netflix.mediaclient 604 users
#14 192.168.0.1 528 users
#15 paypal.com 522 users
#16 discord.com 522 users
#17 twitter.com 518 users
#18 com.pinterest 504 users
#19 xiaomi.com 450 users
#20 linkedin.com 408 users
#21 com.facebook.lite 397 users
#22 samsung.com 391 users
#23 com.snapchat.android 387 users
#24 microsoftonline.com 376 users
#25 yahoo.com 371 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 bobibanking.com 15 employees
#2 buenosaires.gob.ar 7 employees
#3 zentadentallab.com 7 employees
#4 127.0.0.1 7 employees
#5 ril.com 7 employees
#6 icicibank.com 7 employees
#7 hostinger.com 7 employees
#8 alxswe.com 6 employees
#9 mail.tm 6 employees
#10 pearllemonleadsusa.com 6 employees
#11 lemapp.co 6 employees
#12 chillisumo.com 6 employees
#13 pearllemonaccountants.com 6 employees
#14 kemenag.go.id 6 employees
#15 secureserver.net 6 employees
#16 watchit.com 6 employees
#17 rediff.com 6 employees
#18 unionbankonline.co.in 6 employees
#19 pearllemoncafe.com 6 employees
#20 secop.gov.co 6 employees
#21 pearllemoncatering.com 6 employees
#22 dxunited.com 6 employees
#23 plantjudo.com 6 employees
#24 plantsumo.com 6 employees
#25 pearllemongames.com 6 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 netflix.com 3 employees

Compromised users

#1 google.com 2,249 users
#2 facebook.com 1,998 users
#3 apple.com 861 users
#4 netflix.com 700 users
#5 amazon.com 651 users
#6 paypal.com 523 users
#7 hp.com 135 users
#8 ebay.com 95 users
#9 oracle.com 77 users
#10 microsoft.com 57 users
#11 nike.com 55 users
#12 cisco.com 44 users
#13 ibm.com 28 users
#14 walmart.com 22 users
#15 intel.com 21 users
#16 westernunion.com 15 users
#17 ups.com 12 users
#18 broadcom.com 10 users
#19 jacobs.com 9 users
#20 visa.com 9 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

1,222 users

Instagram

instagram.com · com.instagram.android

735 users

Netflix

netflix.com · com.netflix.mediaclient

605 users

pinterest.com · com.pinterest

505 users

Snapchat

snapchat.com · com.snapchat.android

387 users

Spotify

spotify.com · com.spotify.music

363 users

Twitter

twitter.com · com.twitter.android

301 users

Discord

discord.com · com.discord

288 users

Mega

app.com · mega.privacy.android.app

277 users

#10

Roblox

roblox.com · com.roblox.client

276 users

#11

Xiaomi

xiaomi.com · com.xiaomi.account

270 users

#12

Wish

contextlogic.com · com.contextlogic.wish

238 users

#13

PayPal

paypal.com · com.paypal.android.p2pmobile

204 users

#14

Twitch

app.com · tv.twitch.android.app

187 users

#15

linkedin.com · com.linkedin.android

173 users

#16

Zoom

videomeetings.com · us.zoom.videomeetings

173 users

#17

Disney

disney.com · com.disney.disneyplus

128 users

#18

Mercadolibre

mercadolibre.com · com.mercadolibre

117 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

115 users

#20

Waze

waze.com · com.waze

97 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 107,792 users
#2 hotmail.com 8,839 users
#3 yahoo.com 3,079 users
#4 outlook.com 1,376 users
#5 icloud.com 542 users
#6 ymail.com 318 users
#7 hotmail.es 272 users
#8 libero.it 253 users
#9 live.com 249 users
#10 googlemail.com 240 users
#11 gmx.de 196 users
#12 hotmail.fr 181 users
#13 alice.it 164 users
#14 yahoo.co.id 159 users
#15 yahoo.fr 152 users
#16 me.com 136 users
#17 web.de 111 users
#18 hotmail.it 103 users
#19 yahoo.com.br 77 users
#20 fibertel.com.ar 75 users
#21 mail.com 71 users
#22 facebook.com 60 users
#23 neuf.fr 57 users
#24 live.fr 55 users
#25 proton.me 50 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Lumma 4,942machines
#2 Generic Stealer 286machines

Anti-virus Coverage

#1 Windows Defender 2,493machines
#2 None 749machines
#3 Windows Defender [ON] 361machines
#4 Reason Cybersecurity 349machines
#5 ‍ 46machines
#6 Avast Antivirus 9machines
#7 Kaspersky 8machines
#8 ESET NOD32 Antivirus 8.0 8machines
#9 Kaspersky [OFF] 7machines
#10 Symantec Endpoint Protection 6machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 10,851hits
#2 sso 1,665hits
#3 zoom 669hits
#4 github 612hits
#5 webmail 296hits
#6 vpn 182hits
#7 oracle 175hits
#8 adfs 173hits
#9 sap 150hits
#10 cpanel 132hits
#11 zendesk 113hits
#12 st 78hits
#13 ping 63hits
#14 sts 59hits
#15 owa 59hits
#16 extranet 57hits
#17 roundcube 37hits
#18 twilio 29hits
#19 gitlab 28hits
#20 ftp 28hits
#21 kaspersky 26hits
#22 webex 20hits
#23 salesforce 11hits
#24 okta 11hits
#25 citrix 10hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

25K machines
2K users
319K domains

View report →

May 4 → May 11, 2026 12 min

Infostealers Weekly Report: 2026-05-04 – 2026-05-11

16K machines
4K users
200K domains

View report →

Infostealers Weekly Report: 2025-07-28 – 2025-08-04

Where infections came from

Where users had active sessions

Employees caught in the logs