Back

csx.com Domain Breach Exposure Report

Risk Score

High Risk

Critical asset booster applied - enterprise VPN / gateway credentials exposed.

AI Findings Summary

Critical

The domain csx.com has experienced a significant number of security events over the past year, with a total of 56,402 events recorded. The vast majority of these events, 96.1%, are historical data breaches, totaling 54,228 incidents. Additionally, there are 2,174 active infostealer logs, representing 3.9% of the total events. The timeline shows a peak in employee-related events in September 2025 and January 2026, with client-related events also showing significant spikes during these periods. The most prevalent malware family associated with these events is Redline, accounting for 82.8% of identified malware. The data indicates a high risk of credential compromise and potential data exfiltration, with a critical asset booster applied, suggesting a high-value target. Given the high volume of historical data breaches and active infostealer logs, the primary focus for remediation should be on strengthening authentication mechanisms, enhancing endpoint security to detect and prevent infostealer activity, and conducting thorough investigations into the historical data breaches to understand the root causes and prevent recurrence. The prevalence of Redline infostealer suggests a focus on phishing and social engineering vectors, necessitating user training and improved email filtering. The targeted services include critical login portals, indicating a direct attempt to compromise user credentials.

Total Events

56,402
credential exposure events

Employee Affected Events

53,730
account email domain = csx.com

Client Affected Events

2,672
service target = csx.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
20,00013,3336,6670
peak month 17,115
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events2,174
Share4%
Data breaches
Events54,228
Share96%
Infostealer logs (4%)
2,174events
Data breaches (96%)
54,228events

53,730 compromised employee accounts pose an infrastructure risk, while 2,672 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender Malwarebytes4
Windows Defender1
Kaspersky1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline1,799
Rhadamanthys58
LummaC242
Acreed25
Vidar20
RisePro16
Aurora3
StealC1
Millenium1

Top Login URLs

Top exposed services found in the event results

  1. 1csx.com733
  2. 2https://logon.csx.com/106
  3. 3https://sxlogon.csx.com/91
  4. 4sxlogon.csx.com/67
  5. 5https://sts1.csx.com/adfs/ls60
  6. 6https://sxlogon.csx.com59
  7. 7sxlogon.csx.com55
  8. 8https://apps.csx.com/vpn/index.html52
  9. 9https://logon.csx.com51
  10. 10https://logon.csx.com/signin/verify/okta/password45

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events546
Netherlands
Events413
Germany
Events367
Denmark
Events152
India
Events72
United Kingdom
Events63
France
Events41
Belgium
Events35

Country Breakdown

  1. 1United States546
  2. 2Netherlands413
  3. 3Germany367
  4. 4Denmark152
  5. 5India72
  6. 6United Kingdom63
  7. 7France41
  8. 8Belgium35

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix151
Microsoft146
Pulse Secure19
Git16
Cisco (AnyConnect)15
FortiNet VPN13
WordPress1

Operating System Distribution

Distribution of compromised endpoint builds

Windows Server 2012 x32142
Windows 10 Home x32134
Windows 8 x32133
Windows Server 2012 R2 x32127
Windows Server 2008 R2 x32127

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
37,859
Combolist pools
16,369
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.