Infostealers Weekly Report: 2025-12-29 – 2026-01-05
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 United States of America 1,523
- #2 India 1,213
- #3 Brazil 756
- #4 Indonesia 473
- #5 Vietnam 472
- #6 Philippines 439
- #7 Germany 313
- #8 France 312
- #9 United Kingdom 264
- #10 Turkey 249
- #11 Egypt 213
- #12 Thailand 199
- #13 Bangladesh 191
- #14 Spain 182
- #15 Mexico 181
- #16 Unknown Region 170
- #17 Poland 164
- #18 Argentina 163
- #19 Pakistan 156
- #20 Peru 151
- #21 Canada 135
- #22 Colombia 124
- #23 Italy 112
- #24 South Korea 108
- #25 Malaysia 103
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 11,964 users
-
#2
facebook.com 8,829 users
-
#3
live.com 8,705 users
-
#4
discord.com 6,298 users
-
#5
roblox.com 6,129 users
-
#6
instagram.com 6,103 users
-
#7
netflix.com 4,921 users
-
#8
com.facebook.katana 4,771 users
-
#9
amazon.com 4,147 users
-
#10
steampowered.com 4,074 users
-
#11
com.instagram.android 3,867 users
-
#12
twitch.tv 3,409 users
-
#13
com.roblox.client 3,368 users
-
#14
microsoftonline.com 3,359 users
-
#15
com.netflix.mediaclient 3,220 users
-
#16
paypal.com 3,177 users
-
#17
spotify.com 3,146 users
-
#18
epicgames.com 3,113 users
-
#19
riotgames.com 2,960 users
-
#20
apple.com 2,894 users
-
#21
twitter.com 2,805 users
-
#22
com.discord 2,640 users
-
#23
steamcommunity.com 2,553 users
-
#24
openai.com 2,415 users
-
#25
com.spotify.music 2,244 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 92 employees
-
#2
firstmail.ltd 86 employees
-
#3
icicibank.com 68 employees
-
#4
rediff.com 51 employees
-
#5
aruba.it 43 employees
-
#6
unionbankonline.co.in 31 employees
-
#7
icai.org 30 employees
-
#8
tim.it 29 employees
-
#9
bobibanking.com 27 employees
-
#10
netpnb.com 23 employees
-
#11
mail.tm 23 employees
-
#12
pec.it 22 employees
-
#13
wp.pl 21 employees
-
#14
zsthost.com 20 employees
-
#15
pnbibanking.in 20 employees
-
#16
confused.com 19 employees
-
#17
santander.com.br 19 employees
-
#18
web-hosting.com 19 employees
-
#19
naver.com 18 employees
-
#20
abv.bg 18 employees
-
#21
atlassian.com 17 employees
-
#22
163.com 17 employees
-
#23
bank.in 16 employees
-
#24
onlinesbi.com 16 employees
-
#25
concentrix.com 16 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
publix.com 7 employees
-
#2
rockwellautomation.com 5 employees
-
#3
ups.com 4 employees
-
#4
salesforce.com 4 employees
-
#5
microsoft.com 3 employees
-
#6
ibm.com 3 employees
-
#7
jpmorganchase.com 3 employees
-
#8
-
#9
twc.com 2 employees
-
#10
fedex.com 2 employees
-
#11
mutualofomaha.com 2 employees
-
#12
att.com 2 employees
-
#13
gs.com 1 employees
-
#14
emc.com 1 employees
-
#15
bestbuy.com 1 employees
-
#16
lear.com 1 employees
-
#17
raytheon.com 1 employees
-
#18
motorolasolutions.com 1 employees
-
#19
libertymutual.com 1 employees
-
#20
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 574 users
-
#8
hp.com 506 users
-
#9
nike.com 475 users
-
#10
oracle.com 413 users
-
#11
-
#12
walmart.com 342 users
-
#13
cisco.com 236 users
-
#14
-
#15
adp.com 175 users
-
#16
capitalone.com 164 users
-
#17
-
#18
target.com 160 users
-
#19
-
#20
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,771 users
3,867 users
Roblox
3,368 users
Netflix
3,220 users
Discord
2,640 users
Spotify
2,244 users
2,044 users
Snapchat
1,787 users
Twitch
1,732 users
1,338 users
Wish
967 users
PayPal
888 users
Disney
755 users
Zoom
685 users
Mega
666 users
622 users
Xiaomi
576 users
Waze
324 users
Alibaba
319 users
Mercadolibre
284 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 660,385 users
-
#2
hotmail.com 56,566 users
-
#3
yahoo.com 36,369 users
-
#4
outlook.com 17,682 users
-
#5
icloud.com 9,667 users
-
#6
hotmail.fr 4,069 users
-
#7
libero.it 3,779 users
-
#8
web.de 3,770 users
-
#9
gmx.de 2,941 users
-
#10
free.fr 2,826 users
-
#11
msn.com 2,441 users
-
#12
-
#13
hotmail.it 2,039 users
-
#14
aol.com 1,944 users
-
#15
live.fr 1,838 users
-
#16
rogers.com 1,819 users
-
#17
yahoo.fr 1,459 users
-
#18
comcast.net 1,453 users
-
#19
hotmail.de 1,442 users
-
#20
live.co.uk 1,371 users
-
#21
orange.fr 1,155 users
-
#22
mail.com 1,044 users
-
#23
hotmail.co.uk 907 users
-
#24
ymail.com 865 users
-
#25
yahoo.it 850 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 9,041machines
- #2 Vidar 4,282machines
- #3 Lumma 3,851machines
- #4 Acreed 105machines
- #5 RedLine 53machines
Anti-virus Coverage
- #1 Windows Defender 9,165machines
- #2 No anti-virus installed 2,506machines
- #3 Windows Defender. 23machines
- #4 N/A 3machines
- #5 Unknown 3machines
- #6 McAfee, Windows Defender 2machines
- #7 Windows Defender, Avast Antivirus. 2machines
- #8 Windows Defender, Kaspersky Application. 2machines
- #9 Windows Defender, McAfee. 1machines
- #10 Windows Defender, Webroot SecureAnywhere 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 75,307hits
- #2 sso 18,504hits
- #3 zoom 4,757hits
- #4 github 3,740hits
- #5 webmail 2,364hits
- #6 adfs 2,327hits
- #7 cpanel 2,307hits
- #8 sap 1,315hits
- #9 zendesk 1,079hits
- #10 oracle 968hits
- #11 ping 838hits
- #12 sts 772hits
- #13 vpn 718hits
- #14 owa 631hits
- #15 salesforce 558hits
- #16 okta 376hits
- #17 st 366hits
- #18 kaspersky 338hits
- #19 webex 300hits
- #20 roundcube 275hits
- #21 extranet 258hits
- #22 imap 247hits
- #23 ftp 233hits
- #24 twilio 146hits
- #25 gitlab 132hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.