Infostealers Weekly Report: 2025-10-20 – 2025-10-27
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 1,982
- #2 United States of America 1,927
- #3 Brazil 536
- #4 Mexico 402
- #5 Unknown Region 389
- #6 Indonesia 370
- #7 Philippines 355
- #8 China 298
- #9 Italy 271
- #10 Germany 271
- #11 France 251
- #12 Japan 238
- #13 Vietnam 231
- #14 Bangladesh 205
- #15 United Kingdom 203
- #16 Colombia 202
- #17 Egypt 198
- #18 Spain 189
- #19 Peru 187
- #20 Argentina 180
- #21 Turkey 180
- #22 Canada 176
- #23 Pakistan 161
- #24 South Korea 146
- #25 Australia 119
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 10,165 users
-
#2
facebook.com 7,970 users
-
#3
live.com 7,567 users
-
#4
instagram.com 5,404 users
-
#5
netflix.com 4,714 users
-
#6
amazon.com 4,695 users
-
#7
discord.com 3,851 users
-
#8
microsoftonline.com 3,813 users
-
#9
com.facebook.katana 3,613 users
-
#10
linkedin.com 3,487 users
-
#11
paypal.com 3,396 users
-
#12
com.instagram.android 3,016 users
-
#13
apple.com 3,004 users
-
#14
roblox.com 2,911 users
-
#15
twitter.com 2,692 users
-
#16
spotify.com 2,631 users
-
#17
com.netflix.mediaclient 2,627 users
-
#18
steampowered.com 2,553 users
-
#19
openai.com 2,406 users
-
#20
zoom.us 2,329 users
-
#21
twitch.tv 2,219 users
-
#22
myworkdayjobs.com 2,098 users
-
#23
github.com 1,994 users
-
#24
yahoo.com 1,984 users
-
#25
epicgames.com 1,900 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 126 employees
-
#2
icicibank.com 104 employees
-
#3
aruba.it 100 employees
-
#4
njoyn.com 83 employees
-
#5
rediff.com 72 employees
-
#6
pec.it 57 employees
-
#7
firstmail.ltd 49 employees
-
#8
spectrum.net 41 employees
-
#9
icai.org 41 employees
-
#10
publix.com 40 employees
-
#11
cuny.edu 39 employees
-
#12
bluehost.com 38 employees
-
#13
secureserver.net 34 employees
-
#14
163.com 33 employees
-
#15
infocert.it 33 employees
-
#16
accenture.com 31 employees
-
#17
snhu.edu 30 employees
-
#18
bobibanking.com 29 employees
-
#19
tim.it 28 employees
-
#20
web-hosting.com 27 employees
-
#21
peoplematter.com 27 employees
-
#22
netpnb.com 26 employees
-
#23
atlassian.com 26 employees
-
#24
ionos.com 26 employees
-
#25
one.com 24 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
-
#2
microsoft.com 22 employees
-
#3
ups.com 15 employees
-
#4
oracle.com 7 employees
-
#5
-
#6
salesforce.com 7 employees
-
#7
ibm.com 6 employees
-
#8
rockwellautomation.com 5 employees
-
#9
cognizant.com 5 employees
-
#10
-
#11
costco.com 4 employees
-
#12
ebay.com 4 employees
-
#13
twc.com 4 employees
-
#14
gm.com 4 employees
-
#15
mutualofomaha.com 3 employees
-
#16
frontier.com 3 employees
-
#17
-
#18
delta.com 2 employees
-
#19
ncr.com 2 employees
-
#20
cbre.com 2 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
-
#8
walmart.com 833 users
-
#9
adp.com 799 users
-
#10
hp.com 647 users
-
#11
capitalone.com 615 users
-
#12
target.com 592 users
-
#13
att.com 564 users
-
#14
fedex.com 556 users
-
#15
-
#16
bestbuy.com 541 users
-
#17
-
#18
nike.com 532 users
-
#19
bankofamerica.com 465 users
-
#20
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
3,613 users
3,016 users
Netflix
2,627 users
Discord
1,630 users
Roblox
1,528 users
Spotify
1,516 users
Snapchat
1,390 users
Twitch
1,056 users
1,009 users
823 users
805 users
Disney
731 users
Zoom
684 users
PayPal
655 users
Wish
561 users
Xiaomi
413 users
Mega
377 users
Waze
343 users
Alibaba
293 users
Mercadolibre
238 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 614,209 users
-
#2
hotmail.com 44,806 users
-
#3
-
#4
outlook.com 17,233 users
-
#5
icloud.com 6,190 users
-
#6
aol.com 4,255 users
-
#7
-
#8
msn.com 3,517 users
-
#9
comcast.net 2,388 users
-
#10
libero.it 1,871 users
-
#11
yahoo.fr 1,563 users
-
#12
orange.fr 1,449 users
-
#13
hotmail.fr 1,402 users
-
#14
yahoo.com.br 1,303 users
-
#15
ymail.com 1,210 users
-
#16
mail.ru 1,190 users
-
#17
hotmail.co.uk 1,063 users
-
#18
sky.com 1,053 users
-
#19
hotmail.it 971 users
-
#20
sbcglobal.net 890 users
-
#21
mail.com 864 users
-
#22
att.net 793 users
-
#23
web.de 747 users
-
#24
verizon.net 679 users
-
#25
protonmail.com 670 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 14,701machines
- #2 Vidar 2,263machines
- #3 Lumma 726machines
- #4 Acreed 273machines
Anti-virus Coverage
- #1 Windows Defender 8,966machines
- #2 McAfee VirusScan 491machines
- #3 McAfee Firewall 465machines
- #4 Windows Defender. 401machines
- #5 McAfee 253machines
- #6 Norton Security Ultra 50machines
- #7 Webroot SecureAnywhere 48machines
- #8 Reason Cybersecurity 45machines
- #9 Norton Security 44machines
- #10 McAfee, Windows Defender 40machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 78,261hits
- #2 sso 20,708hits
- #3 zoom 5,985hits
- #4 adfs 3,680hits
- #5 github 3,623hits
- #6 webmail 2,834hits
- #7 ping 1,338hits
- #8 salesforce 1,207hits
- #9 oracle 1,191hits
- #10 sap 1,188hits
- #11 zendesk 1,124hits
- #12 okta 1,075hits
- #13 sts 863hits
- #14 owa 842hits
- #15 vpn 625hits
- #16 cpanel 560hits
- #17 webex 423hits
- #18 extranet 302hits
- #19 roundcube 287hits
- #20 kaspersky 251hits
- #21 ftp 243hits
- #22 st 236hits
- #23 gitlab 223hits
- #24 twilio 219hits
- #25 imap 216hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.