- Experts observing a 19x quarter over-quarter increase in. Is use for malicious campaigns
- 99% were credentials upon 1% regarding Remote Access Trojans
- Microsoft was by far the most commonly imitated fire
CyberSecurity experts from Cofense have revealed a 19X climb in malicious campaigns using .es domains between Q4 2024 and Q5 2025, making it the third most abused Top-Level-Level Domain (TLD) after .com and .ru.
Typically reserved for businesses and organizations in Spain or Spanish -speaking audiences, researchers found almost 1,400 malicious subdomains over almost 450. Are base domains between January and May.
An overwhelming majority (99%) of the campaigns involved credentials, with most of the remaining 1% delivering remote access trojans (rats) such as Connectwise Rat, Dark Crystal and Xworm.
.e’s domains turn out to be popular for phishing -attack
Although the increase of .es domains in cyber attacks is remarkable, attack vectors remain unchanged. Malware was seen to be provided by C2 nodes or counterfeit E emails where most (95%) mimic Microsoft (an attacker’s favorite). Adobe, Google, Docusign and Social Security Administration made up the most frequently welcoming sites. E-mail-Lokker often mimicked HR and document-related requests.
Interestingly, the malicious .e’s subdomains were randomly generated, not manually designed, making them easier to identify as false. Examples include AG7SR[.]Fjlabpkgcuo[.]es and gymi8[.]FWPZZA[.]es.
Despite researchers who suggested that no similarities can be used to connect attacks to a single group, 99% of the malicious .es domains were hosted on cloudflare.
“If a threat actor or threat actor group benefits from .es TLD domains, the brands that are counterfeit in .’s TLD campaigns would indicate certain preferences from the threat actors,” the researchers wrote.
Cofense explained that “significant restrictions” on the use of .es TLDs were in place until 2005, adding that the recent increase in .es-related attacks could be a cause for concern, marking a new trend that utilizes the authority of national TLDs unofficially.
