Infostealers Weekly Report: 2026-01-05 – 2026-01-12
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 United States of America 1,064
- #2 India 978
- #3 Brazil 423
- #4 Unknown Region 320
- #5 Indonesia 236
- #6 China 204
- #7 Germany 194
- #8 Japan 157
- #9 France 152
- #10 Philippines 150
- #11 Vietnam 145
- #12 Egypt 128
- #13 United Kingdom 119
- #14 Turkey 113
- #15 South Korea 109
- #16 Poland 103
- #17 Bangladesh 98
- #18 Argentina 93
- #19 Canada 88
- #20 Pakistan 82
- #21 Australia 78
- #22 Italy 78
- #23 Mexico 75
- #24 Thailand 71
- #25 Spain 69
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 10,819 users
-
#2
facebook.com 8,150 users
-
#3
live.com 7,813 users
-
#4
instagram.com 5,114 users
-
#5
discord.com 4,647 users
-
#6
netflix.com 4,634 users
-
#7
com.facebook.katana 4,488 users
-
#8
roblox.com 3,921 users
-
#9
amazon.com 3,785 users
-
#10
com.instagram.android 3,502 users
-
#11
paypal.com 3,479 users
-
#12
steampowered.com 3,220 users
-
#13
microsoftonline.com 2,924 users
-
#14
apple.com 2,867 users
-
#15
com.netflix.mediaclient 2,848 users
-
#16
twitch.tv 2,767 users
-
#17
twitter.com 2,722 users
-
#18
spotify.com 2,671 users
-
#19
epicgames.com 2,616 users
-
#20
com.roblox.client 2,269 users
-
#21
linkedin.com 2,150 users
-
#22
com.spotify.music 2,118 users
-
#23
riotgames.com 2,109 users
-
#24
steamcommunity.com 2,070 users
-
#25
com.discord 2,066 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
aruba.it 113 employees
-
#2
hostinger.com 87 employees
-
#3
pec.it 63 employees
-
#4
firstmail.ltd 60 employees
-
#5
icicibank.com 59 employees
-
#6
tim.it 55 employees
-
#7
rediff.com 41 employees
-
#8
mail.de 38 employees
-
#9
themailchicken.net 37 employees
-
#10
confused.com 36 employees
-
#11
wp.pl 36 employees
-
#12
secureserver.net 28 employees
-
#13
qq.com 27 employees
-
#14
secop.gov.co 24 employees
-
#15
postecert.it 23 employees
-
#16
netpnb.com 22 employees
-
#17
santander.com.br 20 employees
-
#18
pec.net 20 employees
-
#19
rmunify.com 20 employees
-
#20
freenet.de 20 employees
-
#21
icai.org 20 employees
-
#22
alxswe.com 19 employees
-
#23
bobibanking.com 19 employees
-
#24
unionbankonline.co.in 19 employees
-
#25
ovh.net 18 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
charter.com 7 employees
-
#2
rockwellautomation.com 7 employees
-
#3
publix.com 7 employees
-
#4
lilly.com 7 employees
-
#5
salesforce.com 5 employees
-
#6
ups.com 3 employees
-
#7
ibm.com 2 employees
-
#8
hp.com 2 employees
-
#9
microsoft.com 2 employees
-
#10
visteon.com 2 employees
-
#11
jll.com 1 employees
-
#12
mutualofomaha.com 1 employees
-
#13
level3.com 1 employees
-
#14
-
#15
bms.com 1 employees
-
#16
cognizant.com 1 employees
-
#17
centurylink.com 1 employees
-
#18
jacobs.com 1 employees
-
#19
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 638 users
-
#8
-
#9
nike.com 461 users
-
#10
oracle.com 439 users
-
#11
-
#12
-
#13
walmart.com 269 users
-
#14
fedex.com 203 users
-
#15
cisco.com 194 users
-
#16
capitalone.com 155 users
-
#17
westernunion.com 145 users
-
#18
adp.com 137 users
-
#19
-
#20
bestbuy.com 130 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,488 users
3,502 users
Netflix
2,848 users
Roblox
2,269 users
Spotify
2,118 users
Discord
2,066 users
1,863 users
Snapchat
1,592 users
Twitch
1,507 users
1,232 users
Wish
1,185 users
PayPal
964 users
Disney
846 users
Mega
656 users
647 users
Zoom
630 users
Xiaomi
586 users
Alibaba
427 users
Waze
413 users
Mercadolibre
331 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 865,561 users
-
#2
hotmail.com 76,305 users
-
#3
yahoo.com 46,696 users
-
#4
outlook.com 29,696 users
-
#5
web.de 14,350 users
-
#6
icloud.com 11,823 users
-
#7
gmx.de 9,842 users
-
#8
libero.it 9,472 users
-
#9
hotmail.fr 6,064 users
-
#10
hotmail.it 5,961 users
-
#11
orange.fr 5,700 users
-
#12
googlemail.com 5,321 users
-
#13
rogers.com 4,236 users
-
#14
live.de 3,660 users
-
#15
-
#16
msn.com 2,971 users
-
#17
hotmail.co.uk 2,895 users
-
#18
t-online.de 2,781 users
-
#19
live.fr 2,661 users
-
#20
free.fr 2,600 users
-
#21
yahoo.fr 2,490 users
-
#22
live.co.uk 2,309 users
-
#23
hotmail.de 2,276 users
-
#24
ymail.com 2,119 users
-
#25
aol.com 2,084 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 11,986machines
- #2 Lumma 2,352machines
- #3 Acreed 1,501machines
- #4 Vidar 316machines
Anti-virus Coverage
- #1 Windows Defender 2,863machines
- #2 No anti-virus installed 266machines
- #3 Windows Defender, 360 Total Security. 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 90,282hits
- #2 sso 23,425hits
- #3 zoom 4,778hits
- #4 github 4,710hits
- #5 webmail 3,494hits
- #6 adfs 3,454hits
- #7 sap 1,490hits
- #8 zendesk 1,378hits
- #9 oracle 1,330hits
- #10 sts 1,143hits
- #11 ping 1,097hits
- #12 owa 1,022hits
- #13 vpn 848hits
- #14 imap 641hits
- #15 cpanel 580hits
- #16 okta 490hits
- #17 kaspersky 471hits
- #18 st 455hits
- #19 extranet 455hits
- #20 roundcube 350hits
- #21 webex 319hits
- #22 ftp 291hits
- #23 twilio 275hits
- #24 salesforce 224hits
- #25 zimbra 175hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.