TZUTC: -0500
MSGID: 1224.consprcy@1:2320/105 2cd3afed
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
Experts flag a huge amount of cyberattacks coming from this unexpected domain

Date:
Tue, 08 Jul 2025 15:02:00 +0000

Description:
Cybersecurity researchers have observed a huge spike in the use of .es TLDs 
in recent months, mostly to host phishing campaigns.

FULL STORY

Cybersecurity experts from Cofense have revealed a 19x increase in malicious
campaigns using .es domains between Q4 2024 and Q5 2025, making it the
third-most abused top-level domain (TLD) after .com and .ru. 

Typically reserved for businesses and organizations in Spain, or
Spanish-speaking audiences, researchers found nearly 1,400 malicious
subdomains across nearly 450 .es base domains between January and May. 

An overwhelming majority (99%) of the campaigns involved credential phishing,
with most of the remaining 1% delivering remote access trojans (RATs) like
ConnectWise RAT, Dark Crystal and XWorm.

".es" domains are proving popular for phishing attacks

Although the rise of .es domains in cyberattacks is noteworthy, attack 
vectors remain unchanged. Malware was seen to be delivered by C2 nodes or
spoofed emails, with most (95%) impersonating Microsoft (an attacker's
favorite). Adobe, Google, Docusign and the Social Security Administration 
made up the top-five most commonly impersonated websites. Email lures often
mimicked HR and document-related requests. 

Interestingly, the malicious .es subdomains were randomly generated, not
crafted manually, making them easier to identify as being fake. Examples
include ag7sr[.]fjlabpkgcuo[.]es and gymi8[.]fwpzza[.]es. 

Despite researchers suggesting that no similarities can be used to link
attacks to a single group, 99% of the malicious .es domains were hosted on
Cloudflare. 

"If one threat actor or threat actor group were taking advantage of .es TLD
domains then it is likely that the brands spoofed in .es TLD campaigns would
indicate certain preferences by the threat actors," the researchers wrote. 

Cofense explained that "significant restrictions" on the usage of .es TLDs
were in place until 2005, adding that the recent rise in .es-related attacks
could be a cause for concern, marking a new trend exploiting the authority
that country-related TLDs unofficially carry.

======================================================================
Link to news story:
https://www.techradar.com/pro/security/experts-flag-a-huge-amount-of-cyberatta
cks-coming-from-this-unexpected-domain

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426