Weekly intelligence Jun 1 – Jun 8, 2026 13 min read

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.

#1 15,862 Compromised Machines

#2 4,260 Compromised Employees

#3 2,106 Compromised Users

#4 9,496 Compromised Androids

#5 272,679 Compromised Domains

Check if you are exposed All reports →

Threat Geography

Where infections came from

Compromised machines distributed by country of infection — hover any region to inspect.

Top 25 of 159

Infections by country

Top 25 countries

#1 India 3,011
#2 France 601
#3 United States of America 430
#4 Italy 342
#5 Indonesia 338
#6 Brazil 233
#7 United Kingdom 219
#8 Pakistan 207
#9 Spain 202
#10 Philippines 162
#11 Germany 135
#12 Bangladesh 134
#13 Vietnam 125
#14 South Africa 113
#15 Unknown Region 111
#16 Egypt 99
#17 China 96
#18 Canada 89
#19 Algeria 88
#20 Japan 74
#21 Colombia 69
#22 Morocco 68
#23 Sri Lanka 67
#24 Mexico 64
#25 Kenya 54

Top Compromised Domains

Where users had active sessions

Domains where infected users had active sessions and saved credentials at the time of infection.

Top 25

#1 google.com 11,058 users
#2 facebook.com 8,282 users
#3 live.com 7,482 users
#4 instagram.com 6,330 users
#5 netflix.com 4,765 users
#6 amazon.com 4,744 users
#7 com.facebook.katana 4,702 users
#8 discord.com 4,444 users
#9 com.instagram.android 4,061 users
#10 paypal.com 3,775 users
#11 apple.com 3,731 users
#12 microsoftonline.com 3,604 users
#13 steampowered.com 3,485 users
#14 linkedin.com 3,483 users
#15 twitter.com 3,430 users
#16 roblox.com 3,364 users
#17 amazon.in 3,325 users
#18 openai.com 3,231 users
#19 spotify.com 3,120 users
#20 192.168.1.1 3,074 users
#21 github.com 2,959 users
#22 twitch.tv 2,863 users
#23 com.netflix.mediaclient 2,760 users
#24 mega.nz 2,725 users
#25 epicgames.com 2,724 users

Top Compromised Corporate Domains

Employees caught in the logs

Domains where compromised users were employees, surfaced via business email and credentials.

Top 25

#1 android 549 employees
#2 icicibank.com 385 employees
#3 hostinger.com 378 employees
#4 wirelesslan.gr 318 employees
#5 indogames.id 266 employees
#6 rediff.com 221 employees
#7 aruba.it 217 employees
#8 bobibanking.com 164 employees
#9 icai.org 164 employees
#10 wp.pl 142 employees
#11 pec.it 140 employees
#12 pnp.gov.ph 136 employees
#13 tim.it 122 employees
#14 rmunify.com 121 employees
#15 skole.hr 114 employees
#16 unionbankonline.co.in 96 employees
#17 fnp.com 93 employees
#18 quest-global.com 88 employees
#19 campero.com 87 employees
#20 ingrails.com 86 employees
#21 jcyl.es 82 employees
#22 bankofbaroda.bank.in 82 employees
#23 egyptair.com 79 employees
#24 netpnb.com 78 employees
#25 endoweb.com.br 76 employees

Fortune 500 Exposure

Top S&P companies hit this week

Top S&P companies with compromised employees and customers detected this week.

Compromised employees

#1 ibm.com 65 employees
#2 microsoft.com 59 employees
#3 cognizant.com 53 employees
#4 essendant.com 27 employees
#5 salesforce.com 16 employees
#6 fedex.com 15 employees
#7 twc.com 8 employees
#8 nike.com 8 employees
#9 jpmorganchase.com 7 employees
#10 qualcomm.com 7 employees
#11 netflix.com 6 employees
#12 oracle.com 6 employees
#13 rockwellautomation.com 6 employees
#14 abbott.com 5 employees
#15 xerox.com 5 employees
#16 jnj.com 4 employees
#17 publix.com 4 employees
#18 amazon.com 4 employees
#19 att.com 4 employees
#20 ge.com 3 employees

Compromised users

#1 google.com 11,058 users
#2 facebook.com 8,282 users
#3 netflix.com 4,765 users
#4 amazon.com 4,744 users
#5 paypal.com 3,775 users
#6 apple.com 3,731 users
#7 oracle.com 1,404 users
#8 hp.com 1,164 users
#9 ebay.com 1,078 users
#10 microsoft.com 939 users
#11 nike.com 775 users
#12 cisco.com 748 users
#13 ibm.com 689 users
#14 salesforce.com 479 users
#15 ups.com 468 users
#16 pg.com 367 users
#17 americanexpress.com 321 users
#18 broadcom.com 319 users
#19 walmart.com 278 users
#20 westernunion.com 247 users

Compromised Mobile Apps

Top Android apps found in infected caches

The Android applications most frequently found in infected device caches this week.

Top 20

Facebook

facebook.com · com.facebook.katana

4,702 users

Instagram

instagram.com · com.instagram.android

4,061 users

Netflix

netflix.com · com.netflix.mediaclient

2,760 users

Snapchat

snapchat.com · com.snapchat.android

1,853 users

Spotify

spotify.com · com.spotify.music

1,825 users

Discord

discord.com · com.discord

1,701 users

Roblox

roblox.com · com.roblox.client

1,676 users

pinterest.com · com.pinterest

1,626 users

Twitter

twitter.com · com.twitter.android

1,249 users

#10

Twitch

app.com · tv.twitch.android.app

1,032 users

#11

PayPal

paypal.com · com.paypal.android.p2pmobile

794 users

#12

Zoom

videomeetings.com · us.zoom.videomeetings

793 users

#13

Wish

contextlogic.com · com.contextlogic.wish

764 users

#14

linkedin.com · com.linkedin.android

719 users

#15

Xiaomi

xiaomi.com · com.xiaomi.account

712 users

#16

Mega

app.com · mega.privacy.android.app

634 users

#17

Disney

disney.com · com.disney.disneyplus

550 users

#18

Alibaba

alibaba.com · com.alibaba.aliexpresshd

354 users

#19

Mercadolibre

mercadolibre.com · com.mercadolibre

288 users

#20

Waze

waze.com · com.waze

263 users

Top Compromised Email Providers

Email domains tied to compromised credentials

Gmail, hotmail, and beyond — providers seen across this week's stealer logs.

Top 25

#1 gmail.com 1,085,700 users
#2 hotmail.com 76,677 users
#3 yahoo.com 32,691 users
#4 outlook.com 26,772 users
#5 hotmail.fr 12,736 users
#6 icloud.com 7,763 users
#7 gmx.de 4,660 users
#8 orange.fr 4,070 users
#9 yahoo.fr 3,822 users
#10 web.de 3,748 users
#11 googlemail.com 3,657 users
#12 libero.it 3,510 users
#13 free.fr 3,453 users
#14 live.com 3,211 users
#15 live.fr 3,003 users
#16 hotmail.it 2,638 users
#17 gmx.net 2,532 users
#18 hotmail.co.uk 1,935 users
#19 yahoo.com.br 1,871 users
#20 msn.com 1,857 users
#21 sfr.fr 1,554 users
#22 virgilio.it 1,283 users
#23 laposte.net 1,234 users
#24 ymail.com 1,219 users
#25 yahoo.it 1,207 users

Malware Landscape

Stealer families & anti-virus coverage

Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.

Stealer Families

#1 Generic Stealer 14,232machines
#2 Acreed 1,628machines
#3 Lumma 1machines
#4 Raccoon 1machines

Targeted Application Keywords

What attackers grep for

The most common application keywords seen across credential logs — auth, sso, vpn, and more.

Top 25

#1 auth 133,685hits
#2 sso 40,870hits
#3 zoom 9,154hits
#4 github 7,280hits
#5 sap 4,894hits
#6 webmail 3,961hits
#7 adfs 3,471hits
#8 oracle 2,750hits
#9 ping 1,414hits
#10 sts 1,333hits
#11 zendesk 1,242hits
#12 salesforce 1,196hits
#13 owa 1,115hits
#14 vpn 1,113hits
#15 cpanel 950hits
#16 webex 654hits
#17 extranet 635hits
#18 okta 553hits
#19 ftp 545hits
#20 st 495hits
#21 kaspersky 475hits
#22 roundcube 420hits
#23 gitlab 351hits
#24 twilio 347hits
#25 imap 313hits

Cavalier · Continuous monitoring

Get this depth of insight on your own organization.

Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.

Get a free report Explore Cavalier →

More reports

Previous weekly briefings

View archive →

May 25 → Jun 1, 2026 13 min

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

18K machines
4K users
259K domains

View report →

May 18 → May 25, 2026 13 min

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

14K machines
4K users
187K domains

View report →

May 11 → May 18, 2026 13 min

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

25K machines
2K users
319K domains

View report →

Infostealers Weekly Report: 2026-06-01 – 2026-06-08

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Snapchat

Spotify

Discord

Roblox

Pinterest

Twitter

Twitch

PayPal

Zoom

Wish

LinkedIn

Xiaomi

Mega

Disney

Alibaba

Mercadolibre

Waze

Email domains tied to compromised credentials

Stealer families & anti-virus coverage

Stealer Families

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

Infostealers Weekly Report: 2026-05-11 – 2026-05-18

Where infections came from

Where users had active sessions

Employees caught in the logs

Top S&P companies hit this week

Compromised employees

Compromised users

Top Android apps found in infected caches

Facebook

Instagram

Netflix

Snapchat

Spotify

Discord

Roblox

Pinterest

Twitter

Twitch

PayPal

Zoom

Wish

LinkedIn

Xiaomi

Mega

Disney

Alibaba

Mercadolibre

Waze

Email domains tied to compromised credentials

Where saved sessions and logins lived

Stealer families & anti-virus coverage

Stealer Families

What attackers grep for

Get this depth of insight on your own organization.

Previous weekly briefings

Infostealers Weekly Report: 2026-05-25 – 2026-06-01

Infostealers Weekly Report: 2026-05-18 – 2026-05-25

Infostealers Weekly Report: 2026-05-11 – 2026-05-18