Methods, systems, and computer programs for detecting targeted attacks on compromised computer. An example method includes receiving from a plurality of computer systems data about the network resource, wherein each of the plurality of computer systems has a set of parameters and associated parameter values; detecting presence of a suspect indicator in the respective data received from each of a first group of the plurality of computer systems; detecting absence of the suspect indicator in the respective data received from each of a second group of the plurality of computer systems; determining at least one suspect parameter and at least one suspect parameter value; and estimating a probability of the targeted attack from the network resource based on the suspect indicator, the at least one suspect parameter, and the at least one parameter value.