Amidst all the new, evolving ways bad actors act, one stalwart truth endures: DNS is the essential connective tissue of the internet; by securing this fundamental layer, you can neutralize threats before they ever reach your network.

Malware continues to proliferate, and ransomware remains a key threat to critical infrastructures, including those for supply chains and healthcare. In addition to these threats, AI is becoming increasingly complex and sophisticated. Attackers are using AI’s automation capabilities to work faster and launch attacks with minimal effort. Attack types include not just AI-powered malware and phishing campaigns but also brute force and credential stuffing attacks.

My research team recently completed an analysis of our traffic patterns in the last year and a few key trends emerged:

• New domains are still big business for bad actors: More than 65% of unique threat domains are composed of new domains. Attackers are doing all they can to accelerate deployment and constantly rotate domains to escape controls and takedowns.
• The average internet user encounters more threats each day: In 2024, the typical user experienced 29 threats. That number jumped to 66 in 2025.
• Both malicious and legitimate AI traffic is exploding: In the report’s time frame, the DNSFilter network processed more than 6 billion queries related to AI. Month-over-month, Generative AI traffic (both malicious and non-malicious) has risen. We saw the biggest rise—a whopping 102%—in September.
• Attackers are using specific AI technology in their malicious sites’ names: Between April 2024 and April 2025, impersonation of GenAI sites decreased by 92%—but there was an increase in malicious domains using the keyword “openai.”

New threats, new blocking

Our researchers saw a 30% increase in the number of threats observed on our network compared to the prior year. The volume is growing, yet many of these threats have shown consistency over time; malware retains the crown as the threat with the highest number of month-over-month blocked requests.

What we also found is that, on average, 2.44% of all blocked requests are malicious. Looking at the breakdown of threats—minus proxy and filter avoidance—New domains had the highest distribution of threats during the reporting period. Malware was a close second.

New domain dangers

As noted above, new domains comprise more than 65% of all unique threat domains on the DNSFilter network.

While malware queries are more active, it means that there are fewer malware domains active on our network, which is consistent with a small number of malware groups responsible for a large portion of all ransomware. It’s likely that such malware domains are trying to “phone home” constantly and quickly.

By their nature, new domains typically have lower traffic in general. New domains can be malicious or legitimate, but when used for a short time and then abandoned, it is indicative that they were a threat, and it could mean they were used heavily and then abandoned. This makes sense, since new domains are often where new threats are tested; they’re typically taken down quickly or converted to new, unique URLs. That means this category takes the prize for the highest number of domains. New domain creation increases each year and is growing faster than other categories.

Using DNS data to spot trends and defeat modern threats

After releasing this report annually for five years, we continue to see trending content impact what’s happening among threats. We see real-world impact reflected in scams, phishing and malware. AI has equipped attackers with the ability to rapidly and with little effort create new domains and assets—so they are able to attack faster and more often—and capitalize on trends. That makes them even more dangerous. Because bad actors use domains in almost every kind of attack, DNS serves as a barometer to gauge malicious activity across the internet.

This report highlights the necessity of proactive security measures that account for both obvious malicious activity and the fluctuating trends that pop up throughout the year. Those trends often show up as new domains. That’s crucial to understand, since new domains in themselves comprise well over half of all unique threat domains. New domains as a category still use over 7.5 times more domains than phishing. The adoption of AI, domain name choices, the use of CAPTCHA, the targeting of gambling sites, and hiring and tax scams are among the trends that drive malicious actors’ choices.

Security must become more than a department at a company; it must be integral to all company culture. Organizations need to use the insights from DNS data to inform their security strategy. They also need AI-powered solutions that can move as quickly as their opponents can. This combination will help to protect companies against the panoply of emerging and shifting threats that assault them every day.