Infostealers Weekly Report: 2025-12-08 – 2025-12-15
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 2,845
- #2 United States of America 617
- #3 Philippines 448
- #4 Brazil 433
- #5 Vietnam 317
- #6 Indonesia 307
- #7 Egypt 262
- #8 Bangladesh 227
- #9 Pakistan 185
- #10 France 168
- #11 Germany 159
- #12 Colombia 152
- #13 Mexico 151
- #14 United Kingdom 131
- #15 Argentina 131
- #16 Peru 129
- #17 Unknown Region 119
- #18 Algeria 118
- #19 Morocco 115
- #20 Italy 114
- #21 Spain 110
- #22 Poland 103
- #23 Turkey 98
- #24 China 87
- #25 Chile 86
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 8,906 users
-
#2
facebook.com 6,717 users
-
#3
live.com 6,030 users
-
#4
instagram.com 4,746 users
-
#5
com.facebook.katana 3,950 users
-
#6
netflix.com 3,519 users
-
#7
com.instagram.android 3,475 users
-
#8
discord.com 3,325 users
-
#9
amazon.com 2,999 users
-
#10
roblox.com 2,856 users
-
#11
microsoftonline.com 2,480 users
-
#12
com.netflix.mediaclient 2,415 users
-
#13
steampowered.com 2,291 users
-
#14
openai.com 1,975 users
-
#15
paypal.com 1,964 users
-
#16
twitter.com 1,947 users
-
#17
linkedin.com 1,924 users
-
#18
spotify.com 1,895 users
-
#19
com.discord 1,804 users
-
#20
amazon.in 1,801 users
-
#21
com.roblox.client 1,799 users
-
#22
apple.com 1,778 users
-
#23
twitch.tv 1,767 users
-
#24
riotgames.com 1,668 users
-
#25
com.spotify.music 1,657 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
icicibank.com 113 employees
-
#2
rediff.com 69 employees
-
#3
hostinger.com 66 employees
-
#4
icai.org 47 employees
-
#5
firstmail.ltd 36 employees
-
#6
bobibanking.com 34 employees
-
#7
netpnb.com 28 employees
-
#8
unionbankonline.co.in 27 employees
-
#9
aruba.it 27 employees
-
#10
wp.pl 26 employees
-
#11
163.com 22 employees
-
#12
concentrix.com 21 employees
-
#13
deped.gov.ph 21 employees
-
#14
pnbibanking.in 20 employees
-
#15
fednetbank.com 18 employees
-
#16
accenture.com 18 employees
-
#17
bank.in 17 employees
-
#18
njoyn.com 17 employees
-
#19
interia.pl 15 employees
-
#20
amityonline.com 14 employees
-
#21
rockwellautomation.com 14 employees
-
#22
indiapost.gov.in 14 employees
-
#23
atlassian.com 14 employees
-
#24
watchit.com 13 employees
-
#25
mail.tm 13 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
-
#2
salesforce.com 8 employees
-
#3
microsoft.com 4 employees
-
#4
-
#5
csc.com 3 employees
-
#6
ge.com 3 employees
-
#7
-
#8
ford.com 2 employees
-
#9
hp.com 2 employees
-
#10
morganstanley.com 2 employees
-
#11
cognizant.com 2 employees
-
#12
ibm.com 2 employees
-
#13
gm.com 1 employees
-
#14
twc.com 1 employees
-
#15
bestbuy.com 1 employees
-
#16
cbre.com 1 employees
-
#17
johnsoncontrols.com 1 employees
-
#18
-
#19
verizon.com 1 employees
-
#20
staples.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
oracle.com 398 users
-
#8
-
#9
-
#10
ebay.com 305 users
-
#11
nike.com 255 users
-
#12
cisco.com 209 users
-
#13
-
#14
walmart.com 146 users
-
#15
ups.com 109 users
-
#16
-
#17
fedex.com 73 users
-
#18
adp.com 70 users
-
#19
broadcom.com 65 users
-
#20
westernunion.com 64 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
3,950 users
3,475 users
Netflix
2,415 users
Discord
1,804 users
Roblox
1,799 users
Spotify
1,657 users
Snapchat
1,604 users
1,573 users
1,114 users
Twitch
1,091 users
Zoom
783 users
PayPal
612 users
Wish
575 users
552 users
Xiaomi
544 users
Mega
478 users
Disney
417 users
Mercadolibre
239 users
Waze
231 users
Alibaba
190 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 377,420 users
-
#2
hotmail.com 24,718 users
-
#3
yahoo.com 10,792 users
-
#4
outlook.com 6,940 users
-
#5
icloud.com 2,245 users
-
#6
-
#7
aol.com 1,071 users
-
#8
hotmail.fr 1,031 users
-
#9
yahoo.fr 990 users
-
#10
verizon.net 896 users
-
#11
libero.it 894 users
-
#12
web.de 746 users
-
#13
live.com.mx 633 users
-
#14
mail.ru 572 users
-
#15
ymail.com 507 users
-
#16
googlemail.com 446 users
-
#17
hotmail.es 441 users
-
#18
hotmail.co.uk 431 users
-
#19
yahoo.co.in 410 users
-
#20
yahoo.de 391 users
-
#21
gmx.de 368 users
-
#22
yahoo.com.br 302 users
-
#23
yahoo.com.ar 287 users
-
#24
proton.me 283 users
-
#25
hotmail.de 268 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 7,322machines
- #2 Lumma 2,530machines
- #3 Acreed 2,471machines
- #4 Vidar 726machines
- #5 DarkCrystal 5machines
Anti-virus Coverage
- #1 Windows Defender 6,511machines
- #2 No anti-virus installed 1,376machines
- #3 Windows Defender. 11machines
- #4 Windows Defender, Avast Antivirus. 3machines
- #5 N/A 2machines
- #6 Avast Antivirus 2machines
- #7 Windows Defender, ESET Security. 2machines
- #8 Webroot SecureAnywhere, Windows Defender 2machines
- #9 McAfee 2machines
- #10 McAfee, Windows Defender 2machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 38,718hits
- #2 sso 9,837hits
- #3 zoom 3,434hits
- #4 github 2,704hits
- #5 adfs 1,124hits
- #6 webmail 883hits
- #7 oracle 847hits
- #8 sap 584hits
- #9 salesforce 566hits
- #10 ping 460hits
- #11 zendesk 458hits
- #12 sts 362hits
- #13 owa 332hits
- #14 vpn 326hits
- #15 cpanel 248hits
- #16 webex 231hits
- #17 git 223hits
- #18 okta 190hits
- #19 kaspersky 189hits
- #20 gitlab 188hits
- #21 st 168hits
- #22 extranet 147hits
- #23 roundcube 129hits
- #24 ftp 77hits
- #25 twilio 73hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-15 – 2026-06-22
- 16K machines
- 3K users
- 216K domains
Infostealers Weekly Report: 2026-06-08 – 2026-06-15
- 9K machines
- 2K users
- 125K domains
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.