Spain’s .es Domain Surges 19x in Cybercrime Use: Now Third Most Popular for Phishing & RATs

In recent months, cybersecurity experts have observed a dramatic surge in the malicious exploitation of domains within the .es top-level domain (TLD). Over the past six months alone, the number of such incidents has increased nearly nineteenfold, propelling Spain’s national domain to third place in terms of popularity among cybercriminals—trailing only .com and .ru.

According to analysts at Cofense, the widespread abuse of .es domains began in earnest in January of this year. By May, 1,373 subdomains had been registered across 447 primary .es domains, all serving as launchpads for malicious webpages. The vast majority of these sites are used for phishing operations aimed at stealing users’ credentials. Only about 1% are leveraged for delivering remote access trojans (RATs) such as ConnectWise RAT, Dark Crystal, and XWorm.

The dissemination of malware occurs either via command-and-control servers or through sophisticated phishing emails impersonating well-known companies. In nearly 95% of cases, attackers masquerade as Microsoft, which is unsurprising given the brand’s global scale and credibility. These emails are often meticulously crafted, posing as legitimate business communications—such as HR notifications or document requests—rendering them particularly convincing.

It is worth noting that the domain names hosting these fake pages are predominantly generated using random character strings. Experts suggest this randomness facilitates detection, as the resulting URLs bear no resemblance to actual corporate or organizational domains, thereby limiting the effectiveness of so-called “typosquatting” attacks, which rely on deceptive similarity.

Examples of such domains include:

• ag7sr\[.]fjlabpkgcuo\[.]es
• gymi8\[.]fwpzza\[.]es
• md6h60\[.]hukqpeny\[.]es
• shmkd\[.]jlaancyfaw\[.]es

Why the .es domain has become such an appealing target for threat actors remains unclear. Cofense offers no definitive explanation. Historically, aside from the .com and .ru TLDs, cybercriminals’ preferences for alternative domains shift from quarter to quarter. European country-code TLDs, including Spain’s, have long been considered more resilient to abuse due to stringent registration requirements and limited domain reselling, which hampers large-scale acquisition by criminal entities.

Nevertheless, analysts emphasize that the recent wave of .es domain abuse highlights a sobering reality: even domains once deemed secure can be weaponized. Crucially, this uptick does not appear to stem from the actions of a single group. Rather, it reflects a broader trend adopted by a wide range of threat actors, differing in both motivation and the sophistication of their campaigns.

A common hallmark among nearly all recorded malicious sites is their hosting on Cloudflare infrastructure. Furthermore, many phishing pages incorporate CAPTCHA challenges, complicating automated site analysis. Experts believe that Cloudflare’s rapid deployment capabilities may have contributed to its appeal among cybercriminals. This also raises pressing questions regarding the platform’s responsiveness to abuse reports and its overall diligence in mitigating such threats.