Spain's top-level domain has become the third most prevalently used domain in phishing campaigns after intrusions originating from the .es TLD increasing by 19-fold between the last quarter of 2024 and the first quarter of 2025, reports The Register.
Ninety-nine percent of .es TLDs were leveraged for credential phishing, while the remainder were used for the spread of the Dark Crystal RAT, XWorm, and other remote access trojans, an analysis from Cofense revealed. Additional findings showed most of the nefarious .es domains to have been on Cloudflare, while Cloudflare Turnstile CAPTCHA had been used on the majority of phishing pages. "While Cloudflare has recently made deploying a web page quick and easy via command line with pages hosted on [.]pages[.]dev, it is unclear whether their recent move to making domains hosted by them easy to deploy has attracted threat actors to their hosting services across different platforms or if there are other reasons, such as how strict or lenient Cloudflare is with abuse complaints," said Cofense researchers.
Ninety-nine percent of .es TLDs were leveraged for credential phishing, while the remainder were used for the spread of the Dark Crystal RAT, XWorm, and other remote access trojans, an analysis from Cofense revealed. Additional findings showed most of the nefarious .es domains to have been on Cloudflare, while Cloudflare Turnstile CAPTCHA had been used on the majority of phishing pages. "While Cloudflare has recently made deploying a web page quick and easy via command line with pages hosted on [.]pages[.]dev, it is unclear whether their recent move to making domains hosted by them easy to deploy has attracted threat actors to their hosting services across different platforms or if there are other reasons, such as how strict or lenient Cloudflare is with abuse complaints," said Cofense researchers.
