TrendAI™ and CleanDNS: From Blocking Attacker Infrastructure to Removing It From the Internet

By Robert McArdle (Director of Cybercrime Research, TrendAI™) and Chris Lewis-Evans (COO, CleanDNS)

The threat landscape never sleeps—but neither do we. Today, we are proud to announce a partnership between TrendAI™ and CleanDNS that takes our fight against cybercriminal infrastructure to a whole new level.

Blocking malicious domains has long been a critical defensive measure. But blocking alone does not remove the underlying problem as the attacker infrastructure itself remains live and available to target the next victim.

Through this partnership, we are extending protection beyond individual customer environments and are now working to remove attacker domains from the internet entirely.

Hunting attacker infrastructure in near-real time

For several months, TrendAI™ research teams have been actively collaborating with CleanDNS on a shared mission: dismantling the infrastructure that cybercriminals depend on.

At the core of this effort is the investment of TrendAI™ in agentic AI workflows and in-house machine learning models. These systems allow us to actively identify and monitor attacker infrastructure associated with malware from a range of key threat groups in near-real time. We don’t wait for attacks to land. We find the infrastructure the attackers have built and act on it immediately.

Our focus is squarely on the threats that matter most—the left-of-kill-chain threats that enable nearly every major cyberattack today, such as:

• Infostealers, which harvest credentials and session tokens at industrial scale
• Phishing-as-a-service (PhaaS), which are available to any would-be attacker
• Loaders, which deliver secondary payloads to compromised systems
• Remote access trojans (RATs), which give attackers persistent, hands-on access to victim environments

Why the long tail and left of the kill chain matter

Two principles drive why this approach delivers outsized impact:

• First, there’s the long tail of cybercrime. The cybercrime economy mirrors many other markets: A relatively small number of malware-as-a-service families dominate the landscape, commanding a disproportionate share of usage compared to mid-tier families. After the top operators, there is a steep drop-off into a long tail of smaller players. This means that accurately targeting the top threat families yields a dramatically amplified protective effect. When we block the infrastructure of the threats that matter most, we protect against a vast share of real-world attacks.
• Second, blocking left of the kill chain multiplies impact. By targeting the infrastructure behind stealers, phishing kits, loaders, and RATs, we stop attacks at their earliest stages—long before an attacker could deploy their final payload. A ransomware attack that never gets its initial loader delivered is a ransomware attack that never happens. This upstream disruption is one of the most efficient forms of protection in cybersecurity.

Hundreds of attacker domains blocked every day

Based on this approach, TrendAI™ identifies, accurately tags, and blocks hundreds of pieces of attacker infrastructure every day. This ensures that customers on the TrendAI Vision One™ platform have the best protection in the industry against these evolving threats.

In many cases, we are able to identify and block attacker infrastructure the moment it is created—before the attackers have even had the chance to deploy it in live attacks. Our customers are, therefore, protected from threats before they are ever deployed.

But blocking for our own customers was where our direct impact ended—that is, until now.

Enter CleanDNS: Taking action across the entire internet

This is where our partnership with CleanDNS changes what’s possible.

CleanDNS is a leader in DNS abuse management and online harm mitigation. Founded by cybersecurity and investigative professionals, CleanDNS operates a DNS abuse monitoring and case management platform designed specifically to work within the organizations that operate the internet’s infrastructure.

For its registrar and registry clients, CleanDNS is not simply a reporting intermediary; it is the entity responsible for managing and progressing abuse action. Through contractual integration, CleanDNS operates within established registrar and registry workflows to investigate abuses, assemble evidence, and initiate suspension, sinkholing, or takedown actions in line with client policy and authority.

CleanDNS works directly with registry operators, registrar abuse teams, and other core infrastructure providers, including supplying foundational technology for the NetBeacon Institute’s reporting service. This positioning allows CleanDNS to act as the operational execution layer or to ensure that cases are routed to the correct entity. Each case is delivered with structured, policy-aligned evidence and progressed through predefined escalation paths, reducing friction and delays and enabling faster, more consistent abuse resolution outcomes.

From single domains to infrastructure clusters

CleanDNS’s model is designed to go beyond one-off action. Each validated domain becomes an entry point into a wider investigative process, identifying related registrations, shared infrastructure, and campaign-level patterns.

This approach empowers registrars and registries to act against coordinated abuse at the account or network level, rather than individual domains. The result is a faster, more consistent response.

How the partnership works

TrendAI™ research teams now provide CleanDNS with high-confidence command and control (C&C) and delivery domains associated with priority threat groups in real time, immediately after those domains are identified and blocked for TrendAI™ customers.

Each submission includes a detailed evidence package derived from TrendAI™ analysis, designed to meet registrar and registry evidentiary standards.

CleanDNS then processes each case through its platform and engages the appropriate registrar or registry via existing contractual channels. Where policy thresholds are met, domains can be suspended, sinkholed, or removed entirely—with the actions for CleanDNS’s clients occurring in as little as 12 minutes, all reports verified and delivered within an average of 30 minutes, and an end-to-end average resolution time of 2.5 days across the whole internet.

A real-world example: Lumma Stealer C&C domain removal

For our current sharing program, we have focused on domains that are both high impact—and very high confidence of maliciousness.

The domain jugbphm[.]click is a confirmed C&C domain for a leading left-of-kill-chain threat, Lumma Stealer.

This process takes a malicious domain from first observation to removal from the internet in just over a day.

We have optimized this process even more recently by removing a human-in-the-loop requirement due to the 100% verification rate of all domains we have shared during the program. This will ultimately reduce the time from malicious observation by TrendAI™, to escalation by CleanDNS to minutes, and over time increase the scope of domains shared for wider impact.

A shared mission: Making the internet safer for all

TrendAI™ and CleanDNS share a fundamental belief: The internet should be a safer place for everyone, not just the customers of any single security vendor. Partnerships like this are among the most powerful tools we have to take on the persistent threat of cybercrime today. By combining the world-class threat intelligence and real-time detection capabilities of TrendAI™ with CleanDNS’s unmatched ability to execute domain takedowns across the global DNS ecosystem, we create a multiplier effect that no single organization could achieve alone.

A message to attackers

As a result of this partnership, our message to the cybercriminal community is unambiguous.

To paraphrase Liam Neeson in “Taken”:
If you target a TrendAI™ customer, we will find your infrastructure. We will block it instantly. And now, with this partnership, we will remove it from the entire internet.

So when you are choosing your next target, think very carefully before deciding to go after one protected by TrendAI™.

To learn more about the threat intelligence capabilities of TrendAI™ and the TrendAI Vision One™ platform, visit trendmicro.com.

To learn more about CleanDNS and its DNS abuse mitigation services, visit cleandns.com.