Spain TLD’s Recent Rise to Dominance

July 2, 2025

Author: Max Gannon, Jacob Malimban, Intelligence Team

Threat actors use various Top-Level Domains (TLDs) to host malicious content and serve as Command and Control (C2) locations. Commonly abused TLDs used to host credential phishing include .ru and .com. More recently, Cofense Intelligence detected a meteoric increase in abuse of the .es TLD for malicious activity. From Q4 2024 to Q1 2025, .es TLD abuse increased 19x and became part of the top 10 abused TLDs in credential phishing. This increase applies to both first-stage URLs (links embedded in emails or attachments) and second-stage URLs (sites visited after the embedded URLs). These second-stage URLs typically host credential phishing pages or exfiltrate information. It is these second-stage URLs that have seen the greatest increase in .es TLD abuse.

While the top 2 abused TLDs (.com and .ru, respectively) have been consistently the most popular for some time, the other top 10 positions have more variance in exact ranking. However, the same abused TLDs generally appear just in different orders. Now, the .es TLD has changed the rankings. The top 10 positions for the first quarter of 2025 can be seen in Figure 1. For more information on first and second stages, see Cofense Intelligence’s quarterly reports, which provide breakdowns.

Key Points

  • .es TLD domains now appear about twice more often than .dev in malicious campaigns
  • .es TLD domain abuse recently increased 19x from Q4 2024 to Q1 2025
  • Abuse of .es TLD domains trends towards the use of malicious subdomains
  • Phishing campaigns utilizing .es TLD domains spoof Microsoft more frequently than campaigns using other TLDs.

Figure1-(7).PNG

Figure 1: Top 10 TLDs seen in credential phishing in both stage one and stage two from January to May of 2025.

What is the .es TLD?

.es is the country code TLD (ccTLD) for Spain, derived from the Spanish word for Spain: España. This TLD is officially intended for domains targeting Spanish-speaking audiences. The most notable use of the .es TLD for non-Spanish speaking audiences is the now discontinued iTun[.]es. Similar to the .gov domains used in the United States, .gob.es is used for governmental entities in Spain.

Until 2005, the .es TLD had significant restrictions on its usage. As a result, the .es TLD lacks the same large number of legitimate long-lived domains that other TLDs (e.g. .com) have. Despite these factors, threat actor abuse of the .es ccTLD has made it the #3 TLD abused from January to May of 2025.

Historical .es TLD Abuse

Although Cofense saw significant abuse of .es TLD domains for credential phishing in Q1 and much of Q2 2025, most .es TLD abuse prior to that was associated with malware C2 locations. FormBook was the most prevalent of the malware families using the .es TLD for C2 domains. However, this may be due in part to the fact that FormBook uses a large number of legitimate sites to disguise its actual C2 traffic. Until 2025, the majority of the .es TLD domains seen in credential phishing or as malware C2s used domains without subdomains.

Meteoric Increase of .es TLD Abuse in the First Half of 2025

Starting in early 2025, Cofense Intelligence began to see a significant increase in the usage of the .es TLD by threat actors, especially to host credential phishing pages. The credential phishing pages were also primarily hosted on subdomains that appeared to be pseudo-dynamically generated.

In the sample set that was analyzed from January to May of 2025, there were a total of 1373 subdomains hosting credential phishing on 447 .es TLD base domains. Within the sample set, more than 99% of the domains were credential phishing-related. The remaining less than 1% of domains were used by RATs such as XWorm RAT, Dark Crystal RAT, and ConnectWise RAT as either a C2 node or a URL embedded in the email which downloaded a RAT executable.

Among all emails from January to May of 2025 the breakdown of spoofed brands was Microsoft at 95%, Adobe at 2%, and Google, Docusign, and the Social Security Administration all at less than 1%. Although Microsoft brand spoofing in campaigns with .es TLD domains was about 10% higher than amongst all other campaigns during the same time period, the other brands primarily stayed consistent.

If one threat actor or threat actor group were taking advantage of .es TLD domains then it is likely that the brands spoofed in .es TLD campaigns would indicate certain preferences by the threat actors that would be different from general campaigns delivered by a wide variety of threat actors with varying motives, targets, and campaign quality. This was not observed, making it likely that abuse of .es TLD domains is becoming a common technique among a large group of threat actors rather than a few more specialized groups.

Campaign Characteristics

The credential phishing campaigns using domains with the .es TLD in March have widely varied themes, subjects, and credential phishing pages. One of the more convincing ones can be seen in Figure 2. Although there was significant variance in the campaigns, one of the consistent features was that the campaigns typically featured a credential phishing page hosted on a subdomain of a .es TLD domain. The subdomains appear to be randomly generated rather than created by a human.

Figure2-(7).PNG

Figure 2: A sample of a March 2025 campaign using a .es TLD domain to host its credential phishing content.

The majority of the campaigns utilizing the .es TLD to host their credential phishing content contained fully featured content and well-developed emails rather than a simple one-line message and a clickable link. A Microsoft-spoofing credential phishing page hosted on a .es TLD domain is shown in Figure 3. A sample of some of the most common subjects can be seen in Table 1.

Figure3-(8).PNG

Figure 3: Credential phishing page hosted on a .es TLD domain spoofing Microsoft Outlook.

Table 1: Selected subjects of credential phishing campaigns utilizing .es TLD domains.

Selected Subjects

Amended <recipient name or identifiable information> Employees Handbook

Vendor Update‚ Action Required

COMPLETED: complete - You received 3 new Scanned document for your review and sign ref#<recipient name or identifiable information>

Confirm receipt: Voicemail from EXT 0972

<recipient name or identifiable information> Documents Package









Sub-domain Usage

As is often the case when domains are used to dynamically host generated sub-domains, the .es base domains for the majority of the campaigns seen in the covered period of 2025 are unreachable. The subdomains primarily hosted Credential Phishing content spoofing Microsoft but other brands such as Adobe, Zoom, and Intuit were also observed.

Sometimes when threat actors find a domain that they are able to open subdomains on, whether legitimately or via compromise, they will choose certain legitimate looking phrases and use random combinations of them in the subdomain to fool victims into believing the link is legitimate. Some examples of chosen subdomains can be seen in Table 2.

Table 2: Examples of subdomains intentionally crafted by threat actors.

Examples of subdomains chosen by threat actors to appear legitimate

webmail-bc8c1be56-auth-c0014bc8c1be56e3ec5d86e3ec5d8-login[.]pages[.]dev

emailwebbs[.]pages[.]dev

new-voicemail-audio-message[.]pages[.]dev

emailcenter[.]pages[.]dev


In the case of pages[.]dev, the subdomains have been created through technically legitimate means rather than compromise, but the same method of naming subdomains can also be found on compromised domains.

What makes the campaigns using subdomains hosted on .es TLD base domains unusual is that they rarely show any kind of customization but are instead seemingly random strings such as the ones seen in Table 3.

Table 3: Examples of subdomains hosted on .es TLD base domains

Examples of subdomains hosted on .es TLD base domains that appear random rather than chosen

ag7sr[.]fjlabpkgcuo[.]es

gymi8[.]fwpzza[.]es

md6h60[.]hukqpeny[.]es

Shmkd[.]jlaancyfaw[.]es


Cloudflare Connection

Out of all of the .es TLD domains used to host credential phishing, approximately 99% of them were hosted on Cloudflare. Unsurprisingly, the majority of these credential phishing pages used a Cloudflare Turnstile CAPTCHA. While Cloudflare has recently made deploying a web page quick and easy via command line with pages hosted on [.]pages[.]dev it is unclear whether their recent move to making domains hosted by them easy to deploy has attracted threat actors to their hosting services across different platforms or if there are other reasons, such as how strict or lenient Cloudflare is with abuse complaints.