Infostealers Weekly Report: 2026-01-26 – 2026-02-02
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 995
- #2 United States of America 481
- #3 Brazil 470
- #4 Indonesia 425
- #5 Pakistan 280
- #6 Philippines 263
- #7 Bangladesh 253
- #8 Turkey 246
- #9 France 159
- #10 Vietnam 148
- #11 Poland 143
- #12 Egypt 130
- #13 Germany 128
- #14 Mexico 115
- #15 Argentina 114
- #16 United Kingdom 111
- #17 Spain 110
- #18 Italy 108
- #19 Morocco 99
- #20 Thailand 88
- #21 Algeria 84
- #22 Netherlands 80
- #23 Romania 75
- #24 Colombia 74
- #25 Serbia 67
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 8,675 users
-
#2
facebook.com 6,709 users
-
#3
live.com 6,033 users
-
#4
instagram.com 4,477 users
-
#5
discord.com 3,946 users
-
#6
com.facebook.katana 3,707 users
-
#7
netflix.com 3,447 users
-
#8
amazon.com 3,041 users
-
#9
roblox.com 3,032 users
-
#10
com.instagram.android 2,958 users
-
#11
steampowered.com 2,888 users
-
#12
paypal.com 2,580 users
-
#13
apple.com 2,465 users
-
#14
microsoftonline.com 2,321 users
-
#15
com.netflix.mediaclient 2,301 users
-
#16
twitter.com 2,215 users
-
#17
spotify.com 2,095 users
-
#18
twitch.tv 2,070 users
-
#19
epicgames.com 2,061 users
-
#20
linkedin.com 1,879 users
-
#21
riotgames.com 1,829 users
-
#22
com.discord 1,823 users
-
#23
com.roblox.client 1,784 users
-
#24
openai.com 1,756 users
-
#25
github.com 1,744 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 112 employees
-
#2
firstmail.ltd 60 employees
-
#3
163.com 54 employees
-
#4
icicibank.com 49 employees
-
#5
rediff.com 45 employees
-
#6
qq.com 41 employees
-
#7
wp.pl 39 employees
-
#8
aruba.it 36 employees
-
#9
tim.it 29 employees
-
#10
unionbankonline.co.in 24 employees
-
#11
mail.tm 23 employees
-
#12
secureserver.net 22 employees
-
#13
netpnb.com 20 employees
-
#14
indusind.com 19 employees
-
#15
pec.it 18 employees
-
#16
bank.in 18 employees
-
#17
santander.com.br 18 employees
-
#18
sts.net.pk 18 employees
-
#19
o2.pl 17 employees
-
#20
interia.pl 17 employees
-
#21
payoneer.com 17 employees
-
#22
onet.pl 16 employees
-
#23
zsthost.com 16 employees
-
#24
bobibanking.com 16 employees
-
#25
njoyn.com 14 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
microsoft.com 9 employees
-
#2
ibm.com 6 employees
-
#3
rockwellautomation.com 5 employees
-
#4
publix.com 4 employees
-
#5
-
#6
twc.com 3 employees
-
#7
salesforce.com 3 employees
-
#8
chsinc.com 2 employees
-
#9
-
#10
ford.com 2 employees
-
#11
hp.com 2 employees
-
#12
-
#13
cisco.com 2 employees
-
#14
ajg.com 2 employees
-
#15
cdw.com 1 employees
-
#16
mckesson.com 1 employees
-
#17
chevron.com 1 employees
-
#18
oreillyauto.com 1 employees
-
#19
oracle.com 1 employees
-
#20
metlife.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 498 users
-
#8
-
#9
-
#10
nike.com 331 users
-
#11
-
#12
-
#13
walmart.com 194 users
-
#14
ups.com 162 users
-
#15
-
#16
broadcom.com 110 users
-
#17
westernunion.com 108 users
-
#18
intel.com 100 users
-
#19
fedex.com 95 users
-
#20
bestbuy.com 92 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
3,707 users
2,958 users
Netflix
2,301 users
Discord
1,823 users
Roblox
1,784 users
Spotify
1,463 users
Snapchat
1,309 users
Twitch
1,215 users
1,105 users
973 users
PayPal
773 users
Zoom
587 users
Mega
577 users
Wish
545 users
Xiaomi
541 users
518 users
Disney
514 users
Alibaba
330 users
Waze
291 users
Mercadolibre
241 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 480,787 users
-
#2
hotmail.com 39,200 users
-
#3
yahoo.com 17,750 users
-
#4
outlook.com 12,681 users
-
#5
icloud.com 3,949 users
-
#6
-
#7
libero.it 1,248 users
-
#8
yahoo.co.jp 1,105 users
-
#9
aol.com 1,063 users
-
#10
proton.me 1,031 users
-
#11
yahoo.com.br 1,020 users
-
#12
gmx.de 986 users
-
#13
hotmail.fr 960 users
-
#14
hotmail.it 880 users
-
#15
yahoo.fr 751 users
-
#16
me.com 733 users
-
#17
hotmail.es 731 users
-
#18
mail.ru 723 users
-
#19
protonmail.com 715 users
-
#20
web.de 701 users
-
#21
mail.com 678 users
-
#22
ymail.com 603 users
-
#23
msn.com 599 users
-
#24
laposte.net 558 users
-
#25
yahoo.it 539 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 11,098machines
- #2 Acreed 840machines
- #3 Vidar 519machines
- #4 Lumma 333machines
- #5 RedLine 2machines
Anti-virus Coverage
- #1 Windows Defender 2,490machines
- #2 No anti-virus installed 1,407machines
- #3 Windows Defender. 8machines
- #4 ESET Security, Windows Defender, ESET Security. 1machines
- #5 N/A 1machines
- #6 Kaspersky, Kaspersky, Windows Defender, Kaspersky. 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 59,035hits
- #2 sso 12,350hits
- #3 github 3,484hits
- #4 zoom 3,196hits
- #5 webmail 1,492hits
- #6 adfs 1,408hits
- #7 oracle 939hits
- #8 zendesk 839hits
- #9 sap 640hits
- #10 vpn 559hits
- #11 sts 535hits
- #12 ping 529hits
- #13 cpanel 457hits
- #14 owa 405hits
- #15 kaspersky 402hits
- #16 imap 300hits
- #17 okta 298hits
- #18 salesforce 291hits
- #19 st 271hits
- #20 ftp 225hits
- #21 extranet 205hits
- #22 webex 196hits
- #23 roundcube 194hits
- #24 twilio 173hits
- #25 gitlab 163hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Infostealers Weekly Report: 2026-04-27 – 2026-05-04
- 14K machines
- 4K users
- 186K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.