Spain TLD's Recent Rise to Dominance

Threat actors have significantly increased their abuse of the .es top-level domain (TLD) for credential phishing campaigns, with a 19-fold rise from Q4 2024 to Q1 2025, making it the third most abused TLD in early 2025. Most .es domains used in these campaigns host credential phishing pages on randomly generated subdomains, often spoofing Microsoft. #esTLD #CredentialPhishing #MicrosoftSpoofing

Keypoints

The .es TLD abuse increased 19 times from Q4 2024 to Q1 2025 and ranked #3 among the most abused TLDs for credential phishing.

MITRE Techniques

[T1566] Phishing – Used .es TLD domains with pseudo-random subdomains to host credential phishing websites and lure victims via email links (‘credential phishing pages hosted on a subdomain of a .es TLD domain’).
[T1071] Application Layer Protocol – Credential phishing pages hosted on HTTP/HTTPS through Cloudflare infrastructure, masking malicious activity (‘99% of .es TLD domains hosted on Cloudflare’).
[T1086] PowerShell – (Indirectly inferred) Campaigns involved downloading RAT executables via URLs embedded in emails associated with .es TLD domains (‘URLs embedded in the email which downloaded a RAT executable’).

Indicators of Compromise

[Domain] Credential phishing domains and subdomains under .es TLD – examples: ag7sr.fjlabpkgcuo.es, gymi8.fwpzza.es, md6h60.hukqpeny.es, Shmkd.jlaancyfaw.es
[Hosting Provider] Cloudflare – approximately 99% of .es TLD credential phishing sites hosted on Cloudflare infrastructure
[Malware] RAT families – XWorm RAT, Dark Crystal RAT, ConnectWise RAT used .es TLD domains for C2 or download URLs

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print

Spain TLD’s Recent Rise to Dominance