- Experts observe a 19x quarter increase in quarter in the use of .es for malicious campaigns
- 99% were phishing attacks of credentials, with 1% related to remote access Trojans
- Microsoft was, with much, the most commonly personified brand
Cybsegurity experts of Cofense have revealed a 19x increase in malicious campaigns using domains. It is between the fourth quarter of 2024 and Q5 2025, which makes it the third higher level domain (TLD) most abused after .com and .ru.
Typically reserved for companies and organizations in Spain, or Spanish -speaking audiences, the researchers found almost 1,400 malicious subdomains in almost 450 base domains between January and May.
An overwhelming majority (99%) of the campaigns involved the credential phishing, and the majority of the remaining 1% delivered remote access Trojans (rats) such as Ractworty Rat, Cristal Dark and Xworm.
The domains are demonstrating to be popular for phishing attacks
Although the increase in domains. It is in cyber attacks is remarkable, attack vectors remain unchanged. It was seen that the malware was delivered by C2 nodes or courier. Adobe, Google, Docusign and the Social Security Administration formed the five most commonly personally personified websites. The lures by email often imitated the requests of human resources and the requests related to the document.
Interestingly, malicious subdomains were generated randomly, they were not manually prepared, which makes them easier to identify as false. Examples include AG7SR[.]FJLABPKGUO[.]It is and Gymi8[.]FWPZZA[.]is.
Although the researchers suggest that similarities cannot be used to link attacks on a single group, 99% of the malicious domains were housed in Cloudflare.
“If a threat actor or a group of threat actors took advantage of the .es TLD domains, then it is likely that the falsified brands in campaigns.
Cofense explained that the “significant restrictions” in the use of the TLDs of .es were in force until 2005, adding that the recent increase in attacks related to. It could be a reason for concern, marking a new trend that exploits the authority that TLD related to the country transports unofficially.
