Infostealers Weekly Report: 2026-04-06 – 2026-04-13
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 2,103
- #2 Indonesia 405
- #3 Vietnam 329
- #4 France 299
- #5 Philippines 286
- #6 Pakistan 284
- #7 Bangladesh 278
- #8 Brazil 233
- #9 United States of America 217
- #10 Italy 152
- #11 South Africa 130
- #12 Egypt 124
- #13 Mexico 110
- #14 Germany 103
- #15 Algeria 89
- #16 Kenya 74
- #17 Morocco 73
- #18 Sri Lanka 69
- #19 Turkey 68
- #20 Colombia 66
- #21 Nepal 61
- #22 Peru 53
- #23 South Korea 50
- #24 Saudi Arabia 45
- #25 Argentina 45
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 16,453 users
-
#2
facebook.com 14,195 users
-
#3
live.com 11,450 users
-
#4
instagram.com 9,137 users
-
#5
com.facebook.katana 8,690 users
-
#6
com.instagram.android 6,832 users
-
#7
discord.com 6,735 users
-
#8
netflix.com 6,458 users
-
#9
amazon.com 6,015 users
-
#10
roblox.com 4,994 users
-
#11
com.netflix.mediaclient 4,925 users
-
#12
apple.com 4,745 users
-
#13
steampowered.com 4,615 users
-
#14
paypal.com 4,591 users
-
#15
microsoftonline.com 4,589 users
-
#16
twitter.com 4,081 users
-
#17
com.roblox.client 3,695 users
-
#18
spotify.com 3,596 users
-
#19
linkedin.com 3,566 users
-
#20
com.discord 3,520 users
-
#21
com.spotify.music 3,423 users
-
#22
twitch.tv 3,279 users
-
#23
openai.com 3,231 users
-
#24
mega.nz 3,159 users
-
#25
epicgames.com 3,129 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
hostinger.com 150 employees
-
#2
rediff.com 136 employees
-
#3
icicibank.com 135 employees
-
#4
netpnb.com 67 employees
-
#5
pnbibanking.in 63 employees
-
#6
firstmail.ltd 62 employees
-
#7
aruba.it 55 employees
-
#8
bobibanking.com 54 employees
-
#9
onlinesbi.sbi 53 employees
-
#10
unionbankonline.co.in 50 employees
-
#11
mail.tm 50 employees
-
#12
secureserver.net 45 employees
-
#13
icai.org 40 employees
-
#14
163.com 35 employees
-
#15
digimail.in 32 employees
-
#16
pec.it 30 employees
-
#17
laureate.net 30 employees
-
#18
rockwellautomation.com 30 employees
-
#19
santander.com.br 29 employees
-
#20
accenture.com 27 employees
-
#21
fednetbank.com 26 employees
-
#22
njoyn.com 26 employees
-
#23
sts.net.pk 25 employees
-
#24
zsthost.com 25 employees
-
#25
onlinesbi.com 23 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
-
#2
microsoft.com 14 employees
-
#3
ups.com 8 employees
-
#4
-
#5
ibm.com 4 employees
-
#6
publix.com 4 employees
-
#7
twc.com 4 employees
-
#8
cognizant.com 4 employees
-
#9
gs.com 3 employees
-
#10
salesforce.com 3 employees
-
#11
lowes.com 2 employees
-
#12
cisco.com 2 employees
-
#13
-
#14
pepsico.com 2 employees
-
#15
disney.com 2 employees
-
#16
ch2m.com 1 employees
-
#17
-
#18
bakerhughes.com 1 employees
-
#19
starwoodhotels.com 1 employees
-
#20
statefarm.com 1 employees
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
oracle.com 776 users
-
#8
hp.com 685 users
-
#9
ebay.com 672 users
-
#10
-
#11
nike.com 553 users
-
#12
-
#13
walmart.com 341 users
-
#14
-
#15
-
#16
westernunion.com 184 users
-
#17
fedex.com 176 users
-
#18
broadcom.com 160 users
-
#19
adp.com 158 users
-
#20
bestbuy.com 148 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
8,690 users
6,832 users
Netflix
4,925 users
Roblox
3,695 users
Discord
3,520 users
Spotify
3,423 users
3,117 users
Snapchat
2,914 users
2,258 users
Twitch
2,092 users
Wish
1,419 users
PayPal
1,394 users
Zoom
1,260 users
Xiaomi
1,133 users
Mega
1,078 users
Disney
1,016 users
980 users
Mercadolibre
601 users
Waze
558 users
Alibaba
502 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 739,914 users
-
#2
hotmail.com 64,462 users
-
#3
yahoo.com 28,272 users
-
#4
outlook.com 19,419 users
-
#5
icloud.com 5,993 users
-
#6
hotmail.fr 3,795 users
-
#7
googlemail.com 3,366 users
-
#8
-
#9
msn.com 2,599 users
-
#10
hotmail.it 2,306 users
-
#11
live.fr 1,721 users
-
#12
hotmail.es 1,534 users
-
#13
yahoo.de 1,444 users
-
#14
yahoo.fr 1,368 users
-
#15
libero.it 1,366 users
-
#16
aol.com 1,365 users
-
#17
ymail.com 1,297 users
-
#18
gmx.de 1,258 users
-
#19
orange.fr 1,247 users
-
#20
yahoo.co.in 1,110 users
-
#21
comcast.net 924 users
-
#22
mail.com 905 users
-
#23
web.de 886 users
-
#24
mail.ru 865 users
-
#25
alice.it 802 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 23,667machines
- #2 Acreed 555machines
- #3 Lumma 65machines
- #4 Vidar 36machines
Anti-virus Coverage
- #1 No anti-virus installed 9,017machines
- #2 Windows Defender 8,969machines
- #3 Reason Cybersecurity 1machines
- #4 None 1machines
- #5 McAfee 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 105,241hits
- #2 sso 24,200hits
- #3 zoom 6,878hits
- #4 github 4,995hits
- #5 adfs 2,093hits
- #6 webmail 1,878hits
- #7 webex 1,748hits
- #8 oracle 1,648hits
- #9 zendesk 1,222hits
- #10 sap 1,217hits
- #11 ping 926hits
- #12 vpn 873hits
- #13 sts 754hits
- #14 cpanel 687hits
- #15 owa 662hits
- #16 ftp 602hits
- #17 okta 571hits
- #18 kaspersky 419hits
- #19 salesforce 410hits
- #20 extranet 401hits
- #21 st 376hits
- #22 roundcube 288hits
- #23 twilio 223hits
- #24 gitlab 130hits
- #25 imap 129hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Infostealers Weekly Report: 2026-04-27 – 2026-05-04
- 14K machines
- 4K users
- 186K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.