- Experts observe an increase of 19x-quarter-quarter in use.
- 99% were identification phishing attacks, with 1% concerning Trojan horses remotely
- Microsoft was by far the most common brand
CoFense cybersecurity experts revealed an increase of 19x in malicious campaigns using areas. Esses between the fourth quarter 2024 and the Q5 2025, which makes it the third abusive high level (TLD) after .com and .ru.
Generally reserved for companies and organizations in Spain, or the Spanish-speaking public, researchers found nearly 1,400 malicious sub-domains in nearly 450 basic areas between January and May.
An overwhelming majority (99%) of the campaigns involved a phishing of identification information, most of the remaining 1% providing remote Trojan horses (Rats) like Connectwise Rat, Dark Crystal and XWorm.
.
Although the rise in domains in the cyber attacks is remarkable, the attack vectors remain unchanged. Malventy software has been considered delivered by C2 nodes or usurped emails, most (95%) has usurped the identity of Microsoft (the favorite of an attacker). Adobe, Google, Docusign and the Social Security Administration formed the five most commonly from websites. E-mail lures have often imitated HR and requests related to documents.
Interestingly, the malicious subdomains have been generated at random, and not manually manufactured, which makes them easier to identify as being false. Examples include AG7SR[.]fjlabpkgcuo[.]es and gymi8[.]fwpzza[.]es.
Despite the researchers suggesting that no similarity can be used to link attacks to a single group, 99% of malicious areas.
“If a threat actor or a group of threat actors took advantage of the fields. Es TLD, it is likely that brands used in the countryside.
Cofense explained that “important restrictions” on the use of TLDS was in place until 2005, adding that the recent increase in attacks linked to. This could be a concern, marking a new trend exploiting the authority that the TLD linked to the country officially transported.
