Infostealers Weekly Report: 2026-04-20 – 2026-04-27
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 1,791
- #2 France 950
- #3 Italy 742
- #4 Indonesia 676
- #5 Brazil 478
- #6 United States of America 375
- #7 United Kingdom 352
- #8 Pakistan 290
- #9 Bangladesh 282
- #10 Egypt 245
- #11 Vietnam 207
- #12 Philippines 186
- #13 Spain 162
- #14 Argentina 144
- #15 Mexico 138
- #16 Germany 131
- #17 South Africa 129
- #18 Colombia 124
- #19 Algeria 111
- #20 Canada 108
- #21 China 99
- #22 Kenya 72
- #23 Chile 69
- #24 Thailand 60
- #25 Ghana 56
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 19,410 users
-
#2
facebook.com 14,804 users
-
#3
live.com 12,778 users
-
#4
instagram.com 9,832 users
-
#5
com.facebook.katana 8,277 users
-
#6
discord.com 7,847 users
-
#7
amazon.com 7,536 users
-
#8
netflix.com 7,183 users
-
#9
com.instagram.android 6,843 users
-
#10
roblox.com 6,831 users
-
#11
apple.com 6,066 users
-
#12
steampowered.com 6,008 users
-
#13
paypal.com 5,944 users
-
#14
com.netflix.mediaclient 5,167 users
-
#15
twitter.com 4,730 users
-
#16
twitch.tv 4,672 users
-
#17
microsoftonline.com 4,642 users
-
#18
epicgames.com 4,625 users
-
#19
spotify.com 4,314 users
-
#20
riotgames.com 4,210 users
-
#21
com.roblox.client 4,189 users
-
#22
com.discord 4,080 users
-
#23
mega.nz 3,789 users
-
#24
openai.com 3,768 users
-
#25
com.spotify.music 3,754 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
icicibank.com 166 employees
-
#2
aruba.it 166 employees
-
#3
hostinger.com 157 employees
-
#4
tim.it 117 employees
-
#5
rediff.com 97 employees
-
#6
pec.it 89 employees
-
#7
firstmail.ltd 70 employees
-
#8
bobibanking.com 69 employees
-
#9
netpnb.com 51 employees
-
#10
unionbankonline.co.in 51 employees
-
#11
icai.org 49 employees
-
#12
njoyn.com 45 employees
-
#13
mail.tm 44 employees
-
#14
android 43 employees
-
#15
unibo.it 41 employees
-
#16
infocert.it 41 employees
-
#17
163.com 40 employees
-
#18
confused.com 34 employees
-
#19
pnbibanking.in 33 employees
-
#20
indusind.com 32 employees
-
#21
ovh.net 30 employees
-
#22
atlassian.com 30 employees
-
#23
deped.gov.ph 30 employees
-
#24
fednetbank.com 28 employees
-
#25
sts.net.pk 27 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
publix.com 20 employees
-
#2
microsoft.com 13 employees
-
#3
-
#4
ibm.com 7 employees
-
#5
ups.com 7 employees
-
#6
twc.com 5 employees
-
#7
salesforce.com 5 employees
-
#8
oracle.com 4 employees
-
#9
bakerhughes.com 4 employees
-
#10
csx.com 3 employees
-
#11
rockwellautomation.com 3 employees
-
#12
chrobinson.com 2 employees
-
#13
cognizant.com 2 employees
-
#14
-
#15
statefarm.com 2 employees
-
#16
verizon.com 2 employees
-
#17
-
#18
gm.com 2 employees
-
#19
aa.com 1 employees
-
#20
Compromised users
-
#1
-
#2
-
#3
-
#4
-
#5
-
#6
-
#7
ebay.com 1,106 users
-
#8
-
#9
hp.com 852 users
-
#10
nike.com 840 users
-
#11
-
#12
-
#13
cisco.com 485 users
-
#14
walmart.com 452 users
-
#15
-
#16
adp.com 330 users
-
#17
capitalone.com 290 users
-
#18
broadcom.com 278 users
-
#19
bestbuy.com 250 users
-
#20
target.com 234 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
8,277 users
6,843 users
Netflix
5,167 users
Roblox
4,189 users
Discord
4,080 users
Spotify
3,754 users
3,311 users
Snapchat
3,129 users
Twitch
2,641 users
2,362 users
PayPal
1,638 users
Wish
1,560 users
Mega
1,244 users
Disney
1,195 users
Xiaomi
1,176 users
1,176 users
Zoom
1,170 users
Waze
666 users
Alibaba
562 users
Mercadolibre
419 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 994,487 users
-
#2
hotmail.com 64,603 users
-
#3
yahoo.com 34,290 users
-
#4
outlook.com 23,174 users
-
#5
hotmail.fr 16,134 users
-
#6
googlemail.com 12,094 users
-
#7
icloud.com 8,765 users
-
#8
yahoo.fr 6,547 users
-
#9
hotmail.it 6,488 users
-
#10
libero.it 5,286 users
-
#11
orange.fr 5,165 users
-
#12
hotmail.co.uk 4,694 users
-
#13
msn.com 3,989 users
-
#14
free.fr 3,625 users
-
#15
-
#16
live.fr 3,311 users
-
#17
yahoo.it 3,012 users
-
#18
aol.com 2,627 users
-
#19
live.it 1,825 users
-
#20
laposte.net 1,726 users
-
#21
sfr.fr 1,725 users
-
#22
alice.it 1,561 users
-
#23
yahoo.com.br 1,557 users
-
#24
ymail.com 1,522 users
-
#25
comcast.net 1,495 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 21,045machines
- #2 Acreed 6,064machines
- #3 Lumma 118machines
Anti-virus Coverage
- #1 Windows Defender 11,694machines
- #2 No anti-virus installed 674machines
- #3 Disabled 4machines
- #4 Quick Heal AntiVirus Pro, Windows Defender 1machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 119,865hits
- #2 sso 34,990hits
- #3 zoom 6,119hits
- #4 github 5,862hits
- #5 webmail 2,959hits
- #6 adfs 2,849hits
- #7 oracle 1,804hits
- #8 zendesk 1,488hits
- #9 vpn 1,346hits
- #10 sts 1,193hits
- #11 sap 1,103hits
- #12 ping 1,097hits
- #13 owa 982hits
- #14 cpanel 816hits
- #15 salesforce 720hits
- #16 okta 613hits
- #17 extranet 585hits
- #18 st 548hits
- #19 kaspersky 519hits
- #20 webex 489hits
- #21 ftp 319hits
- #22 roundcube 307hits
- #23 twilio 299hits
- #24 gitlab 285hits
- #25 imap 232hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-05-11 – 2026-05-18
- 25K machines
- 2K users
- 319K domains
Infostealers Weekly Report: 2026-05-04 – 2026-05-11
- 16K machines
- 4K users
- 200K domains
Infostealers Weekly Report: 2026-04-27 – 2026-05-04
- 14K machines
- 4K users
- 186K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.