Infostealers Weekly Report: 2025-09-08 – 2025-09-15
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 United States of America 1,654
- #2 India 1,465
- #3 Brazil 1,014
- #4 Vietnam 839
- #5 Indonesia 833
- #6 Philippines 807
- #7 Turkey 558
- #8 Bangladesh 483
- #9 Germany 433
- #10 France 349
- #11 United Kingdom 340
- #12 Colombia 318
- #13 Poland 315
- #14 Thailand 304
- #15 Pakistan 279
- #16 Egypt 272
- #17 Mexico 259
- #18 Argentina 222
- #19 Spain 205
- #20 Romania 198
- #21 Italy 195
- #22 Malaysia 192
- #23 Netherlands 146
- #24 Morocco 146
- #25 Peru 145
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 12,417 users
-
#2
live.com 9,293 users
-
#3
facebook.com 9,163 users
-
#4
roblox.com 8,787 users
-
#5
discord.com 8,184 users
-
#6
instagram.com 6,005 users
-
#7
steampowered.com 5,132 users
-
#8
com.facebook.katana 5,109 users
-
#9
netflix.com 4,948 users
-
#10
com.roblox.client 4,534 users
-
#11
twitch.tv 4,218 users
-
#12
epicgames.com 4,037 users
-
#13
riotgames.com 3,857 users
-
#14
com.instagram.android 3,853 users
-
#15
amazon.com 3,772 users
-
#16
spotify.com 3,521 users
-
#17
apple.com 3,380 users
-
#18
paypal.com 3,353 users
-
#19
com.netflix.mediaclient 3,306 users
-
#20
steamcommunity.com 3,155 users
-
#21
com.discord 3,134 users
-
#22
microsoftonline.com 2,842 users
-
#23
twitter.com 2,721 users
-
#24
rockstargames.com 2,435 users
-
#25
tlauncher.org 2,382 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
firstmail.ltd 187 employees
-
#2
hostinger.com 59 employees
-
#3
icicibank.com 57 employees
-
#4
wp.pl 56 employees
-
#5
zsthost.com 42 employees
-
#6
rediff.com 31 employees
-
#7
secop.gov.co 30 employees
-
#8
163.com 29 employees
-
#9
bobibanking.com 26 employees
-
#10
unionbankonline.co.in 23 employees
-
#11
deped.gov.ph 20 employees
-
#12
interia.pl 19 employees
-
#13
netpnb.com 19 employees
-
#14
mail.tm 17 employees
-
#15
aruba.it 17 employees
-
#16
digimail.in 17 employees
-
#17
imbamail.com 17 employees
-
#18
rmunify.com 16 employees
-
#19
onet.pl 15 employees
-
#20
naver.com 15 employees
-
#21
buenosaires.gob.ar 15 employees
-
#22
seznam.cz 14 employees
-
#23
p1177.net 14 employees
-
#24
77mail.cc 13 employees
-
#25
gygmail4.com 13 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 6 employees
-
#2
publix.com 5 employees
-
#3
fedex.com 3 employees
-
#4
ups.com 3 employees
-
#5
rockwellautomation.com 2 employees
-
#6
ibm.com 2 employees
-
#7
cisco.com 2 employees
-
#8
cbre.com 2 employees
-
#9
-
#10
-
#11
jpmorganchase.com 1 employees
-
#12
nov.com 1 employees
-
#13
honeywell.com 1 employees
-
#14
chsinc.com 1 employees
-
#15
statefarm.com 1 employees
-
#16
autonation.com 1 employees
-
#17
csc.com 1 employees
-
#18
bnymellon.com 1 employees
-
#19
frontier.com 1 employees
-
#20
bms.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 457 users
-
#8
nike.com 443 users
-
#9
hp.com 377 users
-
#10
oracle.com 345 users
-
#11
-
#12
walmart.com 265 users
-
#13
-
#14
-
#15
bestbuy.com 129 users
-
#16
target.com 124 users
-
#17
adp.com 119 users
-
#18
-
#19
disney.com 108 users
-
#20
capitalone.com 100 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
5,109 users
Roblox
4,534 users
3,853 users
Netflix
3,306 users
Discord
3,134 users
Spotify
1,981 users
Twitch
1,969 users
Snapchat
1,653 users
1,376 users
1,011 users
PayPal
997 users
Mega
774 users
Disney
710 users
Xiaomi
681 users
Zoom
677 users
Wish
620 users
384 users
Mercadolibre
321 users
Alibaba
294 users
Waze
289 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 499,737 users
-
#2
hotmail.com 31,258 users
-
#3
yahoo.com 18,340 users
-
#4
outlook.com 14,336 users
-
#5
icloud.com 7,220 users
-
#6
-
#7
web.de 1,240 users
-
#8
yahoo.fr 1,144 users
-
#9
mail.com 936 users
-
#10
hotmail.fr 838 users
-
#11
aol.com 802 users
-
#12
msn.com 781 users
-
#13
gmx.de 723 users
-
#14
proton.me 711 users
-
#15
mail.ru 648 users
-
#16
yahoo.co.uk 609 users
-
#17
yahoo.co.id 599 users
-
#18
ymail.com 528 users
-
#19
gmx.net 492 users
-
#20
yahoo.com.br 473 users
-
#21
hotmail.co.uk 424 users
-
#22
orange.fr 420 users
-
#23
libero.it 407 users
-
#24
yahoo.com.ar 396 users
-
#25
outlook.com.br 394 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 13,850machines
- #2 Lumma 4,307machines
- #3 Acreed 90machines
Anti-virus Coverage
- #1 Windows Defender 1,354machines
- #2 Windows Defender [ON] 919machines
- #3 None 874machines
- #4 316machines
- #5 Reason Cybersecurity 95machines
- #6 Windows Defender. 49machines
- #7 Malwarebytes [OFF] 8machines
- #8 Windows Defender, McAfee. 6machines
- #9 Malwarebytes 6machines
- #10 360 Total Security 5machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 56,972hits
- #2 sso 14,417hits
- #3 github 3,503hits
- #4 zoom 3,404hits
- #5 adfs 1,403hits
- #6 webmail 1,395hits
- #7 zendesk 765hits
- #8 oracle 727hits
- #9 vpn 599hits
- #10 sap 501hits
- #11 ping 481hits
- #12 sts 445hits
- #13 owa 355hits
- #14 cpanel 301hits
- #15 st 252hits
- #16 okta 244hits
- #17 salesforce 242hits
- #18 webex 218hits
- #19 extranet 214hits
- #20 kaspersky 186hits
- #21 webvpn 182hits
- #22 ftp 134hits
- #23 twilio 126hits
- #24 roundcube 119hits
- #25 gitlab 88hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.