Massive spike in use of .es domains for phishing abuse

#### [Security](/security/)**3** Massive spike in use of .es domains for phishing abuse======================================================**3** ¡Cuidado! Time to double-check before entering your Microsoft creds——————————————————————-[Connor Jones](/Author/Connor-Jones ‘Read more by this author’) Sat 5 Jul 2025 // 12:43 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse) [](https://twitter.com/intent/tweet?text=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse&url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse&summary=%c2%a1Cuidado%21%20Time%20to%20double-check%20before%20entering%20your%20Microsoft%20creds) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru.The .es top-level domain (TLD) is the domain reserved for the country of Spain, or websites targeting Spanish-speaking audiences.Cofense said the abuse of the .es TLD started to pick up in January, and as of May, 1,373 subdomains were hosting malicious web pages on 447 .es base domains. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aGl2ZwDDyx5esNR0YhtePgAAAU0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)The researchers said that 99 percent of these were focused on [credential phishing](https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/), while the other 1 percent were devoted to distributing remote access trojans (RATs) such as ConnectWise RAT, Dark Crystal, and XWorm. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGl2ZwDDyx5esNR0YhtePgAAAU0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)The malware was distributed either via a C2 node or a malicious email spoofing a well-known brand (Microsoft in 95 percent of cases, unsurprisingly), so there was nothing overly novel about the campaigns themselves other than the TLD.Emails seen in the wild tend to be themed around workplace matters such as HR requests or requests for the receipt of documents, for example, and the messages are often well-crafted, rather than low-effort one-liners. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGl2ZwDDyx5esNR0YhtePgAAAU0&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The .es domains that host the malicious content, like the fake Microsoft sign-in portals, are in most cases randomly generated rather than crafted by a human. For potential targets, this potentially makes it easier to spot a lookalike/[typosquat](https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/)-style URL.Some examples of the types of subdomains hosted on the .es base domains are as follows:* ag7sr-[.-]fjlabpkgcuo-[.-]es* gymi8-[.-]fwpzza-[.-]es* md6h60-[.-]hukqpeny-[.-]es* Shmkd-[.-]jlaancyfaw-[.-]esAs for why exactly the .es domain was proving so popular, Cofense did not venture any guesses. However, it said that aside from the top two most-abused TLDs (.com and .ru), the remainder tend to fluctuate from quarter-to-quarter.Regardless, the general nature of the phishing campaigns experts observed over the past six months suggests dodgy .es websites could be here to stay.Cofense said: ‘If one threat actor or threat actor group were taking advantage of .es TLD domains then it is likely that the brands spoofed in .es TLD campaigns would indicate certain preferences by the threat actors that would be different from general campaigns delivered by a wide variety of threat actors with varying motives, targets, and campaign quality.’This was not observed, making it likely that abuse of .es TLD domains is becoming a common technique among a large group of threat actors rather than a few more specialized groups.’* [That WhatsApp from an Israeli infosec expert could be a Iranian phish](https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/)* [Ex-NSA cyber-boss: AI will soon be a great exploit coder](https://www.theregister.com/2025/04/30/exnsa_cyber_boss_ai_expoit_dev/)* [Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish](https://www.theregister.com/2025/03/25/troy_hunt_mailchimp_phish/)* [Scattered Spider stops the Rickrolls, starts the RAT race](https://www.theregister.com/2025/04/08/scattered_spider_updates/)One similarity Cofense saw between almost all of the malicious .es domains was that 99 percent of them were hosted on Cloudflare, and most of the phishing pages used a Cloudflare Turnstile [CAPTCHA](https://www.theregister.com/2025/01/03/captcha_doom_nightmare/).’While Cloudflare has recently made deploying a web page quick and easy via command line with pages hosted on -[.-]pages-[.-]dev, it is unclear whether their recent move to making domains hosted by them easy to deploy has attracted threat actors to their hosting services across different platforms or if there are other reasons, such as how strict or lenient Cloudflare is with abuse complaints,’ the researchers blogged.European Union country-code TLDs (ccTLDs) like .es are typically among the least abused, according to the [Internet Corporation for Assigned Names and Numbers (ICANN)](https://www.theregister.com/2024/01/29/icann_internal_tld/).They typically come with more restrictions on who can register a ccTLD compared to a generic TLD (gTLD) like .top and [.zip](https://www.theregister.com/2023/05/17/google_zip_mov_domains/), and don’t support bulk registrations, making them less appealing to those who wish to abuse them en masse. ® [Sponsored: How multi-agent systems revolutionize data work flows](https://go.theregister.com/tl/3207/shttps://www.theregister.com/2025/07/03/multi_agent_systems_google/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse) [](https://twitter.com/intent/tweet?text=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse&url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse&summary=%c2%a1Cuidado%21%20Time%20to%20double-check%20before%20entering%20your%20Microsoft%20creds) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Domain Name](/Tag/Domain%20Name/)* [Phishing](/Tag/Phishing/)* [Spain](/Tag/Spain/) More like these × ### More about* [Domain Name](/Tag/Domain%20Name/)* [Phishing](/Tag/Phishing/)* [Spain](/Tag/Spain/) ### Narrower topics* [ESA](/Tag/ESA/) ### Broader topics* [1st Domains](/Tag/1st%20Domains/)* [EMEA](/Tag/EMEA/)* [Europe](/Tag/Europe/)* [European Union](/Tag/European%20Union/)* [Internet](/Tag/Internet/)* [Security](/Tag/Security/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse) [](https://twitter.com/intent/tweet?text=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse&url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Massive%20spike%20in%20use%20of%20.es%20domains%20for%20phishing%20abuse&summary=%c2%a1Cuidado%21%20Time%20to%20double-check%20before%20entering%20your%20Microsoft%20creds) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/05/spain_domains_phishing/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **3** COMMENTS #### More about* [Domain Name](/Tag/Domain%20Name/)* [Phishing](/Tag/Phishing/)* [Spain](/Tag/Spain/) More like these × ### More about* [Domain Name](/Tag/Domain%20Name/)* [Phishing](/Tag/Phishing/)* [Spain](/Tag/Spain/) ### Narrower topics* [ESA](/Tag/ESA/) ### Broader topics* [1st Domains](/Tag/1st%20Domains/)* [EMEA](/Tag/EMEA/)* [Europe](/Tag/Europe/)* [European Union](/Tag/European%20Union/)* [Internet](/Tag/Internet/)* [Security](/Tag/Security/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### That WhatsApp from an Israeli infosec expert could be a Iranian phishCharming Kitten unsheathes its claws and tries to catch credentialsCyber-crime10 days -| 2](/2025/06/26/that_whatsapp_from_an_israeli/?td=keepreading) [#### Let’s Encrypt rolls out free security certs for IP addressesYou probably don’t need one, but it’s nice to have the optionSecurity2 days -| 48](/2025/07/03/lets_encrypt_rolls_out_free/?td=keepreading) [#### ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companiesCrims have cottoned on to a new way to lead you astrayResearch3 days -| 20](/2025/07/03/ai_phishing_websites/?td=keepreading) [#### From hype to harm: 78% of CISOs see AI attacks alreadyAI attacks are keeping most practitioners up at night, says Darktrace, and with good reasonSponsored feature](/2025/05/16/cisos-report-ai-attacks/?td=keepreading) [#### Hire me! To drop malware on your computerFIN6 moves from point-of-sale compromise to phishing recruitersCyber-crime24 days -| 3](/2025/06/11/crooks_posing_job_hunters_target_recruiters/?td=keepreading) [#### DeepSeek installer or just malware in disguise? Click around and find out’BrowserVenom’ is pure poisonCyber-crime24 days -| 5](/2025/06/11/deepseek_installer_or_infostealing_malware/?td=keepreading) [#### Darcula adds AI to its DIY phishing kits to help would-be vampires bleed victims dryBecause coding phishing sites from scratch is a real pain in the neckCyber-crime2 months -| 5](/2025/04/25/darcula_ai/?td=keepreading) [#### Nationwide power outages knock Spain, Portugal offlineUpdated Cyberattack? Bad software update? International oopsie? The cause is unclear, but Iberia is darkOffbeat2 months -| 197](/2025/04/28/nationwide_power_outages_knock_spain/?td=keepreading) [#### Dentists sue ex-contractor for holding web domains hostage in biz fightIT guy says their claims are toothless — and they owe him $400KBootnotes2 months -| 9](/2025/04/22/fired_dental_clinic_administrator_sued/?td=keepreading) [#### Scattered Spider stops the Rickrolls, starts the RAT raceDespite arrests, eight-legged menace targeted more victims this yearResearch3 months -| 5](/2025/04/08/scattered_spider_updates/?td=keepreading) [#### Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish16,000 stolen records pertain to former and active mail subscribersCyber-crime3 months -| 37](/2025/03/25/troy_hunt_mailchimp_phish/?td=keepreading) [#### That ‘angry guest’ email from Booking.com? It’s a scam, not a 1-star reviewPhishers check in, your credentials check out, Microsoft warnsResearch4 months -| 9](/2025/03/13/bookingdotcom_phishing_campaign/?td=keepreading)

Related Tags:
OopsIE

Camouflage Tempest

TAAL

Mint Sandstorm

Storm-0875

Octo Tempest

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 517 – Telecommunications

NAICS: 541 – Professional

Scientific

Technical Services

Associated Indicators:
md6h60.hukqpeny.es

shmkd.jlaancyfaw.es

ag7sr.fjlabpkgcuo.es

Threat Intel Solutions

Massive spike in use of .es domains for phishing abuse

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us