Experts flag a huge amount of cyberattacks coming from this unexpected domain

News
By published

.es is now the third-most exploited TLD

how to prevent phishing attacks
(Image credit: Unsplash)
  • Experts observe a 19x quarter-over-quarter rise in .es usage for malicious campaigns
  • 99% were credential phishing attacks, with 1% relating to remote access trojans
  • Microsoft was by far the most commonly impersonated brand

Cybersecurity experts from Cofense have revealed a 19x increase in malicious campaigns using .es domains between Q4 2024 and Q5 2025, making it the third-most abused top-level domain (TLD) after .com and .ru.

Typically reserved for businesses and organizations in Spain, or Spanish-speaking audiences, researchers found nearly 1,400 malicious subdomains across nearly 450 .es base domains between January and May.

An overwhelming majority (99%) of the campaigns involved credential phishing, with most of the remaining 1% delivering remote access trojans (RATs) like ConnectWise RAT, Dark Crystal and XWorm.

Although the rise of .es domains in cyberattacks is noteworthy, attack vectors remain unchanged. Malware was seen to be delivered by C2 nodes or spoofed emails, with most (95%) impersonating Microsoft (an attacker's favorite). Adobe, Google, Docusign and the Social Security Administration made up the top-five most commonly impersonated websites. Email lures often mimicked HR and document-related requests.

Interestingly, the malicious .es subdomains were randomly generated, not crafted manually, making them easier to identify as being fake. Examples include ag7sr[.]fjlabpkgcuo[.]es and gymi8[.]fwpzza[.]es.

Despite researchers suggesting that no similarities can be used to link attacks to a single group, 99% of the malicious .es domains were hosted on Cloudflare.

"If one threat actor or threat actor group were taking advantage of .es TLD domains then it is likely that the brands spoofed in .es TLD campaigns would indicate certain preferences by the threat actors," the researchers wrote.

Cofense explained that "significant restrictions" on the usage of .es TLDs were in place until 2005, adding that the recent rise in .es-related attacks could be a cause for concern, marking a new trend exploiting the authority that country-related TLDs unofficially carry.

You might also like

TOPICS
Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.