Skip to content
INFOSTEALERS By HudsonRock
Weekly intelligence Apr 27 – May 4, 2026 12 min read

Infostealers Weekly Report: 2026-04-27 – 2026-05-04

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 13,546 Compromised Machines
#2 2,335 Compromised Employees
#3 3,967 Compromised Users
#4 7,244 Compromised Androids
#5 186,008 Compromised Domains
Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 145
Infections by country

Top 25 countries

  1. #1 India 1,072
  2. #2 Indonesia 497
  3. #3 Philippines 225
  4. #4 Pakistan 221
  5. #5 Bangladesh 195
  6. #6 Brazil 183
  7. #7 Vietnam 168
  8. #8 Mexico 116
  9. #9 South Africa 99
  10. #10 Egypt 73
  11. #11 Algeria 61
  12. #12 Colombia 57
  13. #13 Argentina 57
  14. #14 Kenya 56
  15. #15 Morocco 53
  16. #16 Thailand 51
  17. #17 Nigeria 43
  18. #18 Turkey 43
  19. #19 Tanzania 40
  20. #20 Sri Lanka 37
  21. #21 Malaysia 36
  22. #22 Ethiopia 34
  23. #23 Peru 34
  24. #24 Ghana 33
  25. #25 United States of America 31

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25
  1. #1 google.com 9,475 users
  2. #2 facebook.com 7,746 users
  3. #3 live.com 5,992 users
  4. #4 instagram.com 4,177 users
  5. #5 com.facebook.katana 4,067 users
  6. #6 apple.com 3,139 users
  7. #7 netflix.com 3,029 users
  8. #8 com.instagram.android 3,009 users
  9. #9 discord.com 2,912 users
  10. #10 amazon.com 2,866 users
  11. #11 paypal.com 2,442 users
  12. #12 192.168.1.1 2,422 users
  13. #13 unlocktool.net 2,291 users
  14. #14 mega.nz 2,235 users
  15. #15 steampowered.com 2,130 users
  16. #16 com.netflix.mediaclient 2,085 users
  17. #17 roblox.com 2,041 users
  18. #18 twitter.com 2,025 users
  19. #19 samsung.com 2,010 users
  20. #20 192.168.0.1 1,825 users
  21. #21 microsoftonline.com 1,758 users
  22. #22 com.roblox.client 1,717 users
  23. #23 linkedin.com 1,691 users
  24. #24 xiaomi.com 1,669 users
  25. #25 github.com 1,551 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25
  1. #1 android 116 employees
  2. #2 hostinger.com 86 employees
  3. #3 icicibank.com 52 employees
  4. #4 rediff.com 36 employees
  5. #5 bobibanking.com 33 employees
  6. #6 firstmail.ltd 26 employees
  7. #7 netpnb.com 25 employees
  8. #8 santander.com.br 22 employees
  9. #9 unionbankonline.co.in 20 employees
  10. #10 pnbibanking.in 19 employees
  11. #11 aiou.edu.pk 19 employees
  12. #12 indusind.com 17 employees
  13. #13 sts.net.pk 17 employees
  14. #14 ionos.com 16 employees
  15. #15 pnb.bank.in 16 employees
  16. #16 payoneer.com 16 employees
  17. #17 njoyn.com 16 employees
  18. #18 mail.tm 15 employees
  19. #19 hostgator.com 15 employees
  20. #20 icai.org 14 employees
  21. #21 watchit.com 14 employees
  22. #22 wp.pl 14 employees
  23. #23 concentrix.com 13 employees
  24. #24 alxswe.com 13 employees
  25. #25 jwpub.org 13 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

  1. #1 microsoft.com 6 employees
  2. #2 disney.com 4 employees
  3. #3 lowes.com 4 employees
  4. #4 salesforce.com 3 employees
  5. #5 firstam.com 3 employees
  6. #6 ibm.com 3 employees
  7. #7 verizon.com 2 employees
  8. #8 jpmorganchase.com 2 employees
  9. #9 ups.com 2 employees
  10. #10 publix.com 2 employees
  11. #11 amazon.com 1 employees
  12. #12 ingredion.com 1 employees
  13. #13 twc.com 1 employees
  14. #14 pepsico.com 1 employees
  15. #15 rockwellautomation.com 1 employees
  16. #16 jll.com 1 employees
  17. #17 netflix.com 1 employees
  18. #18 oracle.com 1 employees
  19. #19 fedex.com 1 employees
  20. #20 cablevision.com 1 employees

Compromised users

  1. #1 google.com 9,475 users
  2. #2 facebook.com 7,746 users
  3. #3 apple.com 3,139 users
  4. #4 netflix.com 3,029 users
  5. #5 amazon.com 2,866 users
  6. #6 paypal.com 2,442 users
  7. #7 oracle.com 418 users
  8. #8 hp.com 380 users
  9. #9 ebay.com 350 users
  10. #10 microsoft.com 233 users
  11. #11 cisco.com 232 users
  12. #12 nike.com 198 users
  13. #13 ibm.com 157 users
  14. #14 walmart.com 153 users
  15. #15 broadcom.com 136 users
  16. #16 westernunion.com 87 users
  17. #17 intel.com 70 users
  18. #18 ups.com 69 users
  19. #19 salesforce.com 65 users
  20. #20 fedex.com 65 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20
#1

Facebook

facebook.com · com.facebook.katana

4,067 users

#2

Instagram

instagram.com · com.instagram.android

3,009 users

#3

Netflix

netflix.com · com.netflix.mediaclient

2,085 users

#4

Roblox

roblox.com · com.roblox.client

1,717 users

#5

Discord

discord.com · com.discord

1,477 users

#6

Spotify

spotify.com · com.spotify.music

1,408 users

#7

Snapchat

snapchat.com · com.snapchat.android

1,397 users

#8

Pinterest

pinterest.com · com.pinterest

1,346 users

#9

Twitter

twitter.com · com.twitter.android

1,071 users

#10

Twitch

app.com · tv.twitch.android.app

749 users

#11

PayPal

paypal.com · com.paypal.android.p2pmobile

741 users

#12

Xiaomi

xiaomi.com · com.xiaomi.account

674 users

#13

Wish

contextlogic.com · com.contextlogic.wish

602 users

#14

Mega

app.com · mega.privacy.android.app

595 users

#15

Zoom

videomeetings.com · us.zoom.videomeetings

569 users

#16

LinkedIn

linkedin.com · com.linkedin.android

453 users

#17

Disney

disney.com · com.disney.disneyplus

373 users

#18

Mercadolibre

mercadolibre.com · com.mercadolibre

295 users

#19

Alibaba

alibaba.com · com.alibaba.aliexpresshd

269 users

#20

Waze

waze.com · com.waze

210 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25
  1. #1 gmail.com 459,331 users
  2. #2 hotmail.com 29,430 users
  3. #3 yahoo.com 16,292 users
  4. #4 outlook.com 10,101 users
  5. #5 icloud.com 3,977 users
  6. #6 hotmail.fr 1,171 users
  7. #7 ymail.com 961 users
  8. #8 yahoo.co.id 935 users
  9. #9 msn.com 880 users
  10. #10 live.com 859 users
  11. #11 mail.com 762 users
  12. #12 yahoo.fr 638 users
  13. #13 aol.com 545 users
  14. #14 yahoo.com.br 492 users
  15. #15 orange.fr 453 users
  16. #16 protonmail.com 405 users
  17. #17 proton.me 375 users
  18. #18 libero.it 373 users
  19. #19 yahoo.co.in 342 users
  20. #20 email.com 341 users
  21. #21 yahoo.com.ar 307 users
  22. #22 hotmail.es 301 users
  23. #23 web.de 287 users
  24. #24 hotmail.it 286 users
  25. #25 live.fr 267 users

Top Compromised Social Platforms

Where saved sessions and logins lived

Social media services where compromised accounts had stored sessions or saved logins.

Top 19
  1. #1 facebook.com 7,746 accounts
  2. #2 twitter.com 2,025 accounts
  3. #3 instagram.com 4,177 accounts
  4. #4 linkedin.com 1,691 accounts
  5. #5 pinterest.com 704 accounts
  6. #6 tiktok.com 1,187 accounts
  7. #7 snapchat.com 900 accounts
  8. #8 reddit.com 264 accounts
  9. #9 youtube.com 52 accounts
  10. #10 weibo.com 7 accounts
  11. #11 vk.com 386 accounts
  12. #12 telegram.org 152 accounts
  13. #13 tumblr.com 132 accounts
  14. #14 discord.com 2,912 accounts
  15. #15 flickr.com 98 accounts
  16. #16 myspace.com 18 accounts
  17. #17 badoo.com 70 accounts
  18. #18 meetup.com 17 accounts
  19. #19 quora.com 54 accounts

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

  1. #1 Generic Stealer 13,270machines
  2. #2 Lumma 272machines
  3. #3 Acreed 4machines

Anti-virus Coverage

  1. #1 Windows Defender 8,554machines
  2. #2 No anti-virus installed 52machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25
  1. #1 auth 55,970hits
  2. #2 sso 11,176hits
  3. #3 github 2,867hits
  4. #4 zoom 2,847hits
  5. #5 webmail 926hits
  6. #6 oracle 877hits
  7. #7 adfs 665hits
  8. #8 vpn 661hits
  9. #9 zendesk 605hits
  10. #10 sap 549hits
  11. #11 owa 506hits
  12. #12 cpanel 473hits
  13. #13 ping 457hits
  14. #14 sts 287hits
  15. #15 kaspersky 283hits
  16. #16 webex 269hits
  17. #17 salesforce 265hits
  18. #18 st 263hits
  19. #19 roundcube 215hits
  20. #20 okta 203hits
  21. #21 ftp 167hits
  22. #22 twilio 145hits
  23. #23 imap 110hits
  24. #24 extranet 91hits
  25. #25 git 81hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →
May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

  • 25K machines
  • 2K users
  • 319K domains
View report →
May 4 → May 11, 2026 12 min

Infostealers Weekly Report: 2026-05-04 – 2026-05-11

  • 16K machines
  • 4K users
  • 200K domains
View report →
Apr 20 → Apr 27, 2026 13 min

Infostealers Weekly Report: 2026-04-20 – 2026-04-27

  • 27K machines
  • 2K users
  • 301K domains
View report →
Free Tools Check your exposure