Cybersecurity experts report a significant increase in malicious campaigns leveraging .es domains, primarily for credential phishing and distributing remote access trojans. The abuse of the .es TLD appears to be a widespread trend among various threat actors, often hosted on Cloudflare. #CredentialPhishing #RemoteAccessTrojans
Keypoints
- The use of .es domains in malicious campaigns has surged by 19 times.
- Most attacks involve credential phishing, with some distributing remote access trojans like ConnectWise RAT.
- Phishing emails often mimic workplace communications and are well-crafted.
- Fake websites hosted on .es domains are generally randomly generated URLs, making them somewhat easier to identify.
- Most malicious .es domains are hosted on Cloudflare and use CAPTCHA to evade detection.
Read More: https://www.theregister.com/2025/07/05/spain_domains_phishing/