- Experts observe a 19x quarter-over-quarter rise in .es usage for malicious campaigns
- 99% were credential phishing attacks, with 1% relating to remote access trojans
- Microsoft was by far the most commonly impersonated brand
Cybersecurity experts from Cofense have revealed a 19x increase in malicious campaigns using .es domains between Q4 2024 and Q5 2025, making it the third-most abused top-level domain (TLD) after .com and .ru.
Typically reserved for businesses and organizations in Spain, or Spanish-speaking audiences, researchers found nearly 1,400 malicious subdomains across nearly 450 .es base domains between January and May.
An overwhelming majority (99%) of the campaigns involved credential phishing, with most of the remaining 1% delivering remote access trojans (RATs) like ConnectWise RAT, Dark Crystal and XWorm.
.es domains are proving popular for phishing attacks
Although the rise of .es domains in cyberattacks is noteworthy, attack vectors remain unchanged. Malware was seen to be delivered by C2 nodes or spoofed emails, with most (95%) impersonating Microsoft (an attacker’s favorite). Adobe, Google, Docusign and the Social Security Administration made up the top-five most commonly impersonated websites. Email lures often mimicked HR and document-related requests.
Interestingly, the malicious .es subdomains were randomly generated, not crafted manually, making them easier to identify as being fake. Examples include ag7sr[.]fjlabpkgcuo[.]es and gymi8[.]fwpzza[.]es.
Despite researchers suggesting that no similarities can be used to link attacks to a single group, 99% of the malicious .es domains were hosted on Cloudflare.
“If one threat actor or threat actor group were taking advantage of .es TLD domains then it is likely that the brands spoofed in .es TLD campaigns would indicate certain preferences by the threat actors,” the researchers wrote.
Cofense explained that “significant restrictions” on the usage of .es TLDs were in place until 2005, adding that the recent rise in .es-related attacks could be a cause for concern, marking a new trend exploiting the authority that country-related TLDs unofficially carry.
