Weekly intelligence Mar 16 – Mar 23, 2026 12 min read

Infostealers Weekly Report: 2026-03-16 – 2026-03-23

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 13,060 Compromised Machines

#2 2,549 Compromised Employees

#3 2,280 Compromised Users

#4 8,231 Compromised Androids

#5 174,427 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 165

Infections by country

Top 25 countries

#1 India 1,230
#2 Brazil 338
#3 Pakistan 328
#4 Vietnam 241
#5 Philippines 239
#6 Bangladesh 222
#7 Indonesia 192
#8 Italy 117
#9 France 110
#10 United States of America 103
#11 South Africa 102
#12 Sri Lanka 97
#13 Mexico 93
#14 Turkey 83
#15 Egypt 79
#16 Argentina 78
#17 Algeria 69
#18 Nigeria 64
#19 Thailand 59
#20 Colombia 56
#21 Peru 53
#22 Morocco 51
#23 Kenya 49
#24 Poland 49
#25 Saudi Arabia 47

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 9,062 users
#2 facebook.com 7,244 users
#3 live.com 6,011 users
#4 instagram.com 4,597 users
#5 com.facebook.katana 4,414 users
#6 com.instagram.android 3,484 users
#7 discord.com 3,335 users
#8 netflix.com 3,264 users
#9 amazon.com 2,953 users
#10 roblox.com 2,593 users
#11 apple.com 2,587 users
#12 com.netflix.mediaclient 2,505 users
#13 steampowered.com 2,373 users
#14 paypal.com 2,243 users
#15 microsoftonline.com 2,141 users
#16 com.roblox.client 2,009 users
#17 twitter.com 2,007 users
#18 com.discord 1,834 users
#19 com.pinterest 1,825 users
#20 mega.nz 1,802 users
#21 openai.com 1,783 users
#22 com.spotify.music 1,741 users
#23 192.168.1.1 1,730 users
#24 spotify.com 1,715 users
#25 linkedin.com 1,641 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 icicibank.com 87 employees
#2 hostinger.com 68 employees
#3 netpnb.com 49 employees
#4 firstmail.ltd 42 employees
#5 rediff.com 40 employees
#6 santander.com.br 33 employees
#7 bobibanking.com 29 employees
#8 wp.pl 29 employees
#9 buenosaires.gob.ar 26 employees
#10 aruba.it 26 employees
#11 abv.bg 25 employees
#12 icai.org 24 employees
#13 payoneer.com 22 employees
#14 sempreser.com.br 22 employees
#15 qq.com 21 employees
#16 njoyn.com 21 employees
#17 web-hosting.com 21 employees
#18 pnbibanking.in 20 employees
#19 deped.gov.ph 19 employees
#20 mail.gov.in 19 employees
#21 tim.it 18 employees
#22 163.com 18 employees
#23 mail.tm 18 employees
#24 sts.net.pk 18 employees
#25 freemail.hu 14 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 microsoft.com 11 employees
#2 publix.com 4 employees
#3 salesforce.com 4 employees
#4 cbre.com 2 employees
#5 rockwellautomation.com 2 employees
#6 alcoa.com 1 employees
#7 fisglobal.com 1 employees
#8 jetblue.com 1 employees
#9 labcorp.com 1 employees
#10 gm.com 1 employees
#11 halliburton.com 1 employees
#12 hp.com 1 employees
#13 disney.com 1 employees
#14 regions.com 1 employees
#15 jpmorganchase.com 1 employees
#16 apple.com 1 employees
#17 ups.com 1 employees
#18 cisco.com 1 employees
#19 ge.com 1 employees

Compromised users

#1 google.com 9,062 users
#2 facebook.com 7,244 users
#3 netflix.com 3,264 users
#4 amazon.com 2,953 users
#5 apple.com 2,587 users
#6 paypal.com 2,243 users
#7 ebay.com 381 users
#8 hp.com 372 users
#9 oracle.com 309 users
#10 microsoft.com 302 users
#11 nike.com 258 users
#12 cisco.com 182 users
#13 ibm.com 142 users
#14 walmart.com 133 users
#15 broadcom.com 112 users
#16 ups.com 104 users
#17 intel.com 90 users
#18 westernunion.com 83 users
#19 fedex.com 75 users
#20 adp.com 58 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

4,414 users

Instagram

instagram.com · com.instagram.android

3,484 users

Netflix

netflix.com · com.netflix.mediaclient

2,505 users

Roblox

roblox.com · com.roblox.client

2,009 users

Discord

discord.com · com.discord

1,834 users

pinterest.com · com.pinterest

1,825 users

Spotify

spotify.com · com.spotify.music

1,741 users

Snapchat

snapchat.com · com.snapchat.android

1,626 users

Twitter

twitter.com · com.twitter.android

1,192 users

#10

Twitch

app.com · tv.twitch.android.app

1,031 users

#11

PayPal

paypal.com · com.paypal.android.p2pmobile

791 users

#12

Wish

contextlogic.com · com.contextlogic.wish

776 users

#13

Zoom

videomeetings.com · us.zoom.videomeetings

657 users

#14

Xiaomi

xiaomi.com · com.xiaomi.account

633 users

#15

Mega

app.com · mega.privacy.android.app

595 users

#16

linkedin.com · com.linkedin.android

507 users

#17

Disney

disney.com · com.disney.disneyplus

500 users

#18

Mercadolibre

mercadolibre.com · com.mercadolibre

359 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

336 users

#20

Waze

waze.com · com.waze

271 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 403,960 users
#2 hotmail.com 28,747 users
#3 yahoo.com 11,692 users
#4 outlook.com 10,943 users
#5 icloud.com 3,815 users
#6 hotmail.fr 1,921 users
#7 live.com 1,325 users
#8 laposte.net 819 users
#9 orange.fr 792 users
#10 alice.it 696 users
#11 yahoo.fr 696 users
#12 libero.it 664 users
#13 hotmail.it 663 users
#14 gmx.de 592 users
#15 yahoo.com.br 554 users
#16 mail.ru 532 users
#17 sfr.fr 515 users
#18 yandex.ru 480 users
#19 hotmail.co.uk 472 users
#20 wanadoo.fr 467 users
#21 live.fr 456 users
#22 mail.com 414 users
#23 aol.com 402 users
#24 hotmail.de 323 users
#25 yahoo.co.jp 301 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Generic Stealer 9,296machines
#2 Vidar 2,228machines
#3 Acreed 1,432machines
#4 Lumma 104machines

Anti-virus Coverage

#1 Windows Defender 6,457machines
#2 No anti-virus installed 1,114machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 46,293hits
#2 sso 10,805hits
#3 zoom 2,912hits
#4 github 2,362hits
#5 adfs 957hits
#6 webmail 833hits
#7 oracle 671hits
#8 zendesk 551hits
#9 salesforce 477hits
#10 sap 447hits
#11 vpn 445hits
#12 ping 382hits
#13 owa 352hits
#14 sts 319hits
#15 kaspersky 263hits
#16 st 256hits
#17 extranet 249hits
#18 cpanel 233hits
#19 webex 199hits
#20 okta 171hits
#21 ftp 168hits
#22 imap 111hits
#23 roundcube 101hits
#24 twilio 95hits
#25 gitlab 94hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

Jun 15 → Jun 22, 2026 13 min

Infostealers Weekly Report: 2026-06-15 – 2026-06-22

16K machines
3K users
216K domains

View report →

Jun 8 → Jun 15, 2026 12 min

Infostealers Weekly Report: 2026-06-08 – 2026-06-15

9K machines
2K users
125K domains

View report →

Jun 1 → Jun 8, 2026 13 min

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

16K machines
2K users
273K domains

View report →

Infostealers Weekly Report: 2026-03-16 – 2026-03-23

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Roblox

Discord

Pinterest

Spotify

Snapchat

Twitter

Twitch

PayPal

Wish

Zoom

Xiaomi

Mega

LinkedIn

Disney

Mercadolibre

Alibaba

Waze

Email domains tied to compromised credentials

Stealer families & anti-virus coverage

Stealer Families

Anti-virus Coverage

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-06-15 – 2026-06-22

Infostealers Weekly Report: 2026-06-08 – 2026-06-15

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Roblox

Discord

Pinterest

Spotify

Snapchat

Twitter

Twitch

PayPal

Wish

Zoom

Xiaomi

Mega

LinkedIn

Disney

Mercadolibre

Alibaba

Waze

Email domains tied to compromised credentials

Where saved sessions and logins lived

Stealer families & anti-virus coverage

Stealer Families

Anti-virus Coverage

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-06-15 – 2026-06-22

Infostealers Weekly Report: 2026-06-08 – 2026-06-15

Infostealers Weekly Report: 2026-06-01 – 2026-06-08