Infostealers Weekly Report: 2026-06-29 – 2026-07-06
InfoStealers Weekly Report - In this comprehensive report, we provide you with valuable insights into the most pressing threats facing organizations today. As cyberattacks continue to grow in complexity and scale, our mission is to equip you with the knowledge and tools needed to safeguard your sensitive information. Join us as we analyze the top compromised domains, identify trends in compromised employees and users, and examine the global impact of InfoStealer infections. Stay informed, stay protected, and stay one step ahead of cyber threats with our weekly report and info-stealers statistics.
Threat Geography
Where infections came from
Compromised machines distributed by country of infection — hover any region to inspect.
Top 25 countries
- #1 India 5,785
- #2 United States of America 767
- #3 Indonesia 537
- #4 Philippines 337
- #5 Pakistan 252
- #6 France 242
- #7 Brazil 226
- #8 Unknown Region 194
- #9 Bangladesh 183
- #10 Egypt 173
- #11 United Kingdom 162
- #12 Mexico 159
- #13 Thailand 146
- #14 Vietnam 145
- #15 China 145
- #16 South Africa 132
- #17 Canada 102
- #18 Japan 94
- #19 Colombia 92
- #20 Germany 90
- #21 Algeria 87
- #22 Italy 85
- #23 Turkey 79
- #24 Peru 79
- #25 Spain 77
Top Compromised Domains
Where users had active sessions
Domains where infected users had active sessions and saved credentials at the time of infection.
-
#1
google.com 14,977 users
-
#2
facebook.com 10,729 users
-
#3
live.com 8,746 users
-
#4
instagram.com 8,221 users
-
#5
com.facebook.katana 7,288 users
-
#6
com.instagram.android 6,741 users
-
#7
amazon.com 4,893 users
-
#8
netflix.com 4,680 users
-
#9
amazon.in 3,967 users
-
#10
com.netflix.mediaclient 3,847 users
-
#11
discord.com 3,695 users
-
#12
apple.com 3,209 users
-
#13
microsoftonline.com 3,166 users
-
#14
com.snapchat.android 3,163 users
-
#15
linkedin.com 3,070 users
-
#16
paypal.com 2,925 users
-
#17
openai.com 2,807 users
-
#18
twitter.com 2,760 users
-
#19
steampowered.com 2,653 users
-
#20
roblox.com 2,515 users
-
#21
com.spotify.music 2,501 users
-
#22
github.com 2,435 users
-
#23
192.168.1.1 2,409 users
-
#24
irctc.co.in 2,218 users
-
#25
com.pinterest 2,194 users
Top Compromised Corporate Domains
Employees caught in the logs
Domains where compromised users were employees, surfaced via business email and credentials.
-
#1
icicibank.com 167 employees
-
#2
rediff.com 166 employees
-
#3
hostinger.com 133 employees
-
#4
icai.org 95 employees
-
#5
netpnb.com 91 employees
-
#6
unionbankonline.co.in 71 employees
-
#7
bobibanking.com 64 employees
-
#8
pnb.bank.in 46 employees
-
#9
aruba.it 44 employees
-
#10
njoyn.com 43 employees
-
#11
bankofbaroda.bank.in 40 employees
-
#12
secureserver.net 31 employees
-
#13
onlinesbi.com 31 employees
-
#14
hostgator.com 30 employees
-
#15
digimail.in 30 employees
-
#16
wp.pl 29 employees
-
#17
mail.gov.in 29 employees
-
#18
fednetbank.com 29 employees
-
#19
icici.bank.in 27 employees
-
#20
indusind.com 26 employees
-
#21
karnataka.gov.in 25 employees
-
#22
salesforce.com 23 employees
-
#23
firstmail.ltd 23 employees
-
#24
pnbibanking.in 22 employees
-
#25
pec.it 21 employees
Fortune 500 Exposure
Top S&P companies hit this week
Top S&P companies with compromised employees and customers detected this week.
Compromised employees
-
#1
salesforce.com 23 employees
-
#2
microsoft.com 16 employees
-
#3
ibm.com 10 employees
-
#4
cognizant.com 6 employees
-
#5
rockwellautomation.com 5 employees
-
#6
amazon.com 3 employees
-
#7
publix.com 3 employees
-
#8
harman.com 2 employees
-
#9
google.com 2 employees
-
#10
ups.com 2 employees
-
#11
cisco.com 2 employees
-
#12
facebook.com 2 employees
-
#13
apple.com 2 employees
-
#14
pepsico.com 2 employees
-
#15
ford.com 2 employees
-
#16
oracle.com 2 employees
-
#17
bestbuy.com 1 employees
-
#18
jll.com 1 employees
-
#19
essendant.com 1 employees
-
#20
hp.com 1 employees
Compromised users
-
#1
google.com 14,977 users
-
#2
facebook.com 10,729 users
-
#3
amazon.com 4,893 users
-
#4
netflix.com 4,680 users
-
#5
apple.com 3,209 users
-
#6
paypal.com 2,925 users
-
#7
oracle.com 748 users
-
#8
hp.com 656 users
-
#9
ebay.com 466 users
-
#10
microsoft.com 417 users
-
#11
cisco.com 379 users
-
#12
nike.com 322 users
-
#13
ibm.com 313 users
-
#14
ups.com 183 users
-
#15
salesforce.com 161 users
-
#16
walmart.com 157 users
-
#17
broadcom.com 156 users
-
#18
fedex.com 116 users
-
#19
adp.com 113 users
-
#20
intel.com 108 users
Compromised Mobile Apps
Top Android apps found in infected caches
The Android applications most frequently found in infected device caches this week.
7,288 users
6,741 users
Netflix
3,847 users
Snapchat
3,163 users
Spotify
2,501 users
2,194 users
Discord
2,179 users
Roblox
1,975 users
1,711 users
Zoom
1,217 users
Xiaomi
1,068 users
Twitch
1,050 users
995 users
PayPal
973 users
Wish
866 users
Mega
847 users
Disney
418 users
Alibaba
318 users
Waze
283 users
Mercadolibre
256 users
Top Compromised Email Providers
Email domains tied to compromised credentials
Gmail, hotmail, and beyond — providers seen across this week's stealer logs.
-
#1
gmail.com 596,620 users
-
#2
hotmail.com 36,249 users
-
#3
outlook.com 15,019 users
-
#4
yahoo.com 14,889 users
-
#5
icloud.com 3,463 users
-
#6
hotmail.fr 2,971 users
-
#7
hotmail.it 2,219 users
-
#8
live.com 1,746 users
-
#9
yahoo.fr 1,502 users
-
#10
live.fr 1,212 users
-
#11
libero.it 1,106 users
-
#12
hotmail.co.uk 1,101 users
-
#13
yahoo.co.uk 1,043 users
-
#14
ymail.com 1,023 users
-
#15
yahoo.co.id 1,018 users
-
#16
orange.fr 892 users
-
#17
laposte.net 866 users
-
#18
mail.com 762 users
-
#19
msn.com 709 users
-
#20
free.fr 656 users
-
#21
me.com 547 users
-
#22
email.com 451 users
-
#23
live.co.uk 408 users
-
#24
yahoo.co.in 403 users
-
#25
proton.me 381 users
Malware Landscape
Stealer families & anti-virus coverage
Malware families responsible for this week's infections, and the anti-virus solutions reported by infected hosts.
Stealer Families
- #1 Generic Stealer 17,983machines
- #2 Acreed 2,269machines
- #3 Lumma 1,688machines
- #4 Raccoon 4machines
Anti-virus Coverage
- #1 Windows Defender 14,752machines
- #2 None 1,304machines
- #3 Avast 58machines
- #4 Avast, Norton 49machines
- #5 Kaspersky 48machines
- #6 Malwarebytes 47machines
- #7 WinDefender 39machines
- #8 ESET 22machines
- #9 Avast, AVG 12machines
- #10 AVG 3machines
Targeted Application Keywords
What attackers grep for
The most common application keywords seen across credential logs — auth, sso, vpn, and more.
- #1 auth 63,681hits
- #2 sso 16,875hits
- #3 github 4,527hits
- #4 zoom 4,506hits
- #5 oracle 1,467hits
- #6 adfs 1,366hits
- #7 webmail 1,353hits
- #8 sap 1,196hits
- #9 salesforce 706hits
- #10 zendesk 698hits
- #11 vpn 698hits
- #12 sts 655hits
- #13 ping 619hits
- #14 ftp 532hits
- #15 cpanel 460hits
- #16 owa 388hits
- #17 webex 362hits
- #18 okta 311hits
- #19 st 281hits
- #20 kaspersky 247hits
- #21 extranet 185hits
- #22 twilio 183hits
- #23 roundcube 171hits
- #24 imap 163hits
- #25 gitlab 128hits
Cavalier · Continuous monitoring
Get this depth of insight on your own organization.
Cavalier turns this same intelligence into a continuous real-time feed of compromised employees, customers and third-party vendors for your business.
More reports
Previous weekly briefings
Infostealers Weekly Report: 2026-06-22 – 2026-06-29
- 29K machines
- 5K users
- 343K domains
Infostealers Weekly Report: 2026-06-15 – 2026-06-22
- 16K machines
- 3K users
- 216K domains
Infostealers Weekly Report: 2026-06-08 – 2026-06-15
- 9K machines
- 2K users
- 125K domains
Top Compromised Social Platforms
Where saved sessions and logins lived
Social media services where compromised accounts had stored sessions or saved logins.