TZUTC: -0500   
   MSGID: 1224.consprcy@1:2320/105 2cd3afed   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Experts flag a huge amount of cyberattacks coming from this unexpected domain   
      
   Date:   
   Tue, 08 Jul 2025 15:02:00 +0000   
      
   Description:   
   Cybersecurity researchers have observed a huge spike in the use of .es TLDs    
   in recent months, mostly to host phishing campaigns.   
      
   FULL STORY   
      
   Cybersecurity experts from Cofense have revealed a 19x increase in malicious   
   campaigns using .es domains between Q4 2024 and Q5 2025, making it the   
   third-most abused top-level domain (TLD) after .com and .ru.    
      
   Typically reserved for businesses and organizations in Spain, or   
   Spanish-speaking audiences, researchers found nearly 1,400 malicious   
   subdomains across nearly 450 .es base domains between January and May.    
      
   An overwhelming majority (99%) of the campaigns involved credential phishing,   
   with most of the remaining 1% delivering remote access trojans (RATs) like   
   ConnectWise RAT, Dark Crystal and XWorm.   
      
   ".es" domains are proving popular for phishing attacks   
      
   Although the rise of .es domains in cyberattacks is noteworthy, attack    
   vectors remain unchanged. Malware was seen to be delivered by C2 nodes or   
   spoofed emails, with most (95%) impersonating Microsoft (an attacker's   
   favorite). Adobe, Google, Docusign and the Social Security Administration    
   made up the top-five most commonly impersonated websites. Email lures often   
   mimicked HR and document-related requests.    
      
   Interestingly, the malicious .es subdomains were randomly generated, not   
   crafted manually, making them easier to identify as being fake. Examples   
   include ag7sr[.]fjlabpkgcuo[.]es and gymi8[.]fwpzza[.]es.    
      
   Despite researchers suggesting that no similarities can be used to link   
   attacks to a single group, 99% of the malicious .es domains were hosted on   
   Cloudflare.    
      
   "If one threat actor or threat actor group were taking advantage of .es TLD   
   domains then it is likely that the brands spoofed in .es TLD campaigns would   
   indicate certain preferences by the threat actors," the researchers wrote.    
      
   Cofense explained that "significant restrictions" on the usage of .es TLDs   
   were in place until 2005, adding that the recent rise in .es-related attacks   
   could be a cause for concern, marking a new trend exploiting the authority   
   that country-related TLDs unofficially carry.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/experts-flag-a-huge-amount-of-cyberatta   
   cks-coming-from-this-unexpected-domain   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426