Infostealers Weekly Report: 2026-03-30 – 2026-04-06
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 1,135
- #2 United States of America 464
- #3 France 313
- #4 Indonesia 255
- #5 Italy 244
- #6 Brazil 244
- #7 Vietnam 202
- #8 Philippines 138
- #9 Pakistan 126
- #10 Unknown Region 121
- #11 China 98
- #12 Germany 81
- #13 Bangladesh 78
- #14 Turkey 77
- #15 Argentina 77
- #16 Colombia 71
- #17 Mexico 68
- #18 Algeria 67
- #19 Egypt 60
- #20 South Korea 55
- #21 Japan 49
- #22 United Kingdom 40
- #23 Morocco 38
- #24 South Africa 37
- #25 Canada 33
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 9,469 users
-
#2
facebook.com 7,724 users
-
#3
live.com 7,202 users
-
#4
instagram.com 5,367 users
-
#5
com.facebook.katana 4,742 users
-
#6
discord.com 4,639 users
-
#7
netflix.com 4,340 users
-
#8
amazon.com 3,982 users
-
#9
com.instagram.android 3,981 users
-
#10
roblox.com 3,568 users
-
#11
steampowered.com 3,434 users
-
#12
com.netflix.mediaclient 3,313 users
-
#13
paypal.com 3,034 users
-
#14
microsoftonline.com 2,863 users
-
#15
apple.com 2,834 users
-
#16
twitch.tv 2,721 users
-
#17
twitter.com 2,674 users
-
#18
com.roblox.client 2,586 users
-
#19
epicgames.com 2,555 users
-
#20
com.discord 2,546 users
-
#21
spotify.com 2,540 users
-
#22
com.spotify.music 2,319 users
-
#23
riotgames.com 2,282 users
-
#24
openai.com 2,134 users
-
#25
steamcommunity.com 2,117 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 108 employees
-
#2
aruba.it 74 employees
-
#3
icicibank.com 68 employees
-
#4
firstmail.ltd 65 employees
-
#5
rediff.com 56 employees
-
#6
tim.it 44 employees
-
#7
pec.it 42 employees
-
#8
bobibanking.com 35 employees
-
#9
netpnb.com 30 employees
-
#10
mail.tm 29 employees
-
#11
unionbankonline.co.in 27 employees
-
#12
atlassian.com 24 employees
-
#13
icai.org 24 employees
-
#14
163.com 22 employees
-
#15
accenture.com 21 employees
-
#16
santander.com.br 21 employees
-
#17
pnbibanking.in 20 employees
-
#18
zsthost.com 20 employees
-
#19
infocert.it 20 employees
-
#20
secureserver.net 19 employees
-
#21
cned.fr 19 employees
-
#22
abv.bg 18 employees
-
#23
buenosaires.gob.ar 18 employees
-
#24
njoyn.com 17 employees
-
#25
secop.gov.co 16 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
ups.com 7 employees
-
#2
microsoft.com 6 employees
-
#3
-
#4
twc.com 4 employees
-
#5
salesforce.com 4 employees
-
#6
ibm.com 4 employees
-
#7
ajg.com 3 employees
-
#8
publix.com 3 employees
-
#9
viacom.com 2 employees
-
#10
rockwellautomation.com 2 employees
-
#11
intel.com 2 employees
-
#12
johnsoncontrols.com 1 employees
-
#13
aa.com 1 employees
-
#14
cbre.com 1 employees
-
#15
statefarm.com 1 employees
-
#16
nike.com 1 employees
-
#17
ebay.com 1 employees
-
#18
stryker.com 1 employees
-
#19
-
#20
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
-
#8
oracle.com 463 users
-
#9
-
#10
hp.com 433 users
-
#11
-
#12
walmart.com 294 users
-
#13
cisco.com 260 users
-
#14
-
#15
-
#16
adp.com 151 users
-
#17
target.com 147 users
-
#18
bestbuy.com 144 users
-
#19
capitalone.com 132 users
-
#20
fedex.com 128 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
4,742 users
3,981 users
Netflix
3,313 users
Roblox
2,586 users
Discord
2,546 users
Spotify
2,319 users
2,107 users
Snapchat
1,750 users
Twitch
1,702 users
1,413 users
Wish
1,039 users
PayPal
973 users
Disney
818 users
Zoom
714 users
Mega
675 users
Xiaomi
628 users
596 users
Waze
428 users
Mercadolibre
371 users
Alibaba
359 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 523,128 users
-
#2
hotmail.com 45,990 users
-
#3
yahoo.com 18,363 users
-
#4
outlook.com 14,506 users
-
#5
hotmail.fr 6,840 users
-
#6
icloud.com 4,383 users
-
#7
msn.com 3,171 users
-
#8
live.fr 2,497 users
-
#9
hotmail.it 2,414 users
-
#10
-
#11
libero.it 2,117 users
-
#12
yahoo.it 1,615 users
-
#13
aol.com 1,355 users
-
#14
yahoo.fr 1,272 users
-
#15
web.de 1,234 users
-
#16
hotmail.es 1,199 users
-
#17
orange.fr 1,106 users
-
#18
alice.it 1,096 users
-
#19
ymail.com 1,024 users
-
#20
free.fr 882 users
-
#21
gmx.de 814 users
-
#22
mail.ru 742 users
-
#23
yahoo.com.br 693 users
-
#24
yahoo.co.uk 647 users
-
#25
live.it 624 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 11,969machines
- #2 Acreed 730machines
- #3 Vidar 62machines
- #4 Lumma 5machines
Anti-virus Coverage
- #1 Windows Defender 4,697machines
- #2 No anti-virus installed 2,803machines
- #3 McAfee 4machines
- #4 Reason Cybersecurity 3machines
- #5 Avast Antivirus 2machines
- #6 Trend Micro Personal Firewall 1machines
- #7 Trend Micro Apex One Antivirus 1machines
- #8 Avast 1machines
- #9 Norton 360 for Gamers 1machines
- #10 McAfee Firewall 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 66,432hits
- #2 sso 15,729hits
- #3 zoom 5,018hits
- #4 github 3,069hits
- #5 webex 2,170hits
- #6 adfs 1,692hits
- #7 webmail 1,644hits
- #8 oracle 957hits
- #9 zendesk 867hits
- #10 vpn 632hits
- #11 sap 613hits
- #12 ping 603hits
- #13 owa 547hits
- #14 sts 532hits
- #15 cpanel 492hits
- #16 okta 381hits
- #17 ftp 357hits
- #18 extranet 304hits
- #19 kaspersky 288hits
- #20 salesforce 283hits
- #21 st 253hits
- #22 roundcube 189hits
- #23 imap 170hits
- #24 twilio 130hits
- #25 gitlab 98hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-01 – 2026-06-08
- 16K machines
- 2K users
- 273K domains
Infostealers Weekly Report: 2026-05-25 – 2026-06-01
- 18K machines
- 4K users
- 259K domains
Infostealers Weekly Report: 2026-05-18 – 2026-05-25
- 14K machines
- 4K users
- 187K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.