Tech News

Tech Business News

  • Home
  • Technology
  • Business
  • News
    • Technology News
    • Local Tech News
    • World Tech News
    • General News
    • News Stories
  • Media Releases
    • Tech Media Releases
    • General Media Releases
  • Advertisers
    • Advertiser Content
    • Promoted Content
    • Sponsored Whitepapers
    • Advertising Options
  • Cyber
  • Reports
  • People
  • Science
  • Articles
    • Opinion
    • Digital Marketing
    • Gaming
    • Guest Publishers
  • About
    • Tech Business News
    • News Contributions -Submit
    • Journalist Application
    • Contact Us
Reading: Hackers Exploit Shared CDN IPs to Bypass DNS and Zero Trust With New ‘Underminr’ Evasion Technique
Share
Font ResizerAa
Tech Business NewsTech Business News
  • Home
  • Technology News
  • Business News
  • News Stories
  • General News
  • World News
  • Media Releases
Search
  • News
    • Technology News
    • Business News
    • Local News
    • News Stories
    • General News
    • World News
    • Global News
  • Media Releases
    • Tech Media Releases
    • General Press
  • Categories
    • Crypto News
    • Cyber
    • Digital Marketing
    • Education
    • Gadgets
    • Technology
    • Guest Publishers
    • IT Security
    • People In Technology
    • Reports
    • Science
    • Software
    • Stock Market
  • Promoted Content
    • Advertisers
    • Promoted
    • Sponsored Whitepapers
  • Contact & About
    • Contact Information
    • About Tech Business News
    • News Contributions & Submissions
Follow US
© 2022 Tech Business News- Australian Technology News. All Rights Reserved.
Tech Business News > Cyber > Hackers Exploit Shared CDN IPs to Bypass DNS and Zero Trust With New ‘Underminr’ Evasion Technique
Cyber

Hackers Exploit Shared CDN IPs to Bypass DNS and Zero Trust With New ‘Underminr’ Evasion Technique

Researchers have uncovered “Underminr,” a stealthy attack that lets hackers abuse trusted CDN infrastructure to bypass common internet security protections. By routing malicious traffic through trusted CDN IPs, attackers can hide harmful activity behind legitimate domains and evade detection.

Matthew Giannelis
Last updated: May 27, 2026 8:10 pm
Matthew Giannelis
Share
SHARE

Cybersecurity researchers have uncovered a stealthy new attack technique that allows hackers to bypass one of the internet’s most widely trusted security controls by abusing shared infrastructure inside major content delivery networks (CDNs).

Contents
How the Attack Works“Underminr” Variants Evade Multiple DefensesLow Barrier to Entry Raises AlarmLinks to China-Aligned Threat GroupsDefenders Face Visibility ChallengeIndustry-Wide Implications

The method, dubbed “Underminr” by researchers at ADAMnetworks, enables attackers to route malicious traffic through trusted CDN edge IP addresses, effectively hiding malicious communications behind legitimate domains without triggering DNS-based security alerts.

The discovery raises fresh concerns about the reliability of protective DNS filtering and Zero Trust network controls that many enterprises rely on to detect and block malicious traffic.

How the Attack Works

CDNs such as Cloudflare and other major providers commonly assign the same edge IP address to multiple customer websites.

When traffic arrives at a shared IP, the CDN determines which customer site to serve by reading the Server Name Indication (SNI) field during the TLS handshake or the HTTP Host header.

Researchers say attackers are now exploiting that routing logic.

In practice, threat actors first resolve a legitimate and trusted domain name to obtain its CDN edge IP address.

They then connect to that IP while secretly directing the SNI or Host header toward a completely different, attacker-controlled domain hosted on the same CDN infrastructure.

To security systems inspecting only DNS activity, the traffic appears benign because the original domain lookup was legitimate. The actual malicious connection, however, is established behind the scenes.

“This creates a dangerous blind spot,” researchers warned, noting that the DNS request and the actual encrypted session are often never correlated in real time.

“Underminr” Variants Evade Multiple Defenses

Researchers identified four separate versions of the technique, each tailored to bypass different layers of network security.

  • Simple Mode involves resolving a trusted domain before redirecting traffic through a deceptive SNI value tied to a malicious server sharing the same CDN edge IP.

  • Split Mode takes the deception further by first performing a legitimate TLS handshake to satisfy deep packet inspection systems before opening a second hidden connection using the malicious SNI.

  • ECH Mode abuses Encrypted Client Hello (ECH), a newer privacy feature designed to encrypt SNI data. By hiding the true destination inside encrypted TLS metadata, attackers can evade tools that rely on inspecting plaintext SNI values.

  • Direct-to-IP Mode eliminates DNS queries entirely, allowing attackers to communicate directly with CDN edge IPs without generating any DNS telemetry at all.

According to the researchers, even organizations using hardened DNS protections — including Microsoft’s Zero Trust DNS controls — may remain vulnerable if connection-level telemetry is not cross-checked against DNS activity.

Low Barrier to Entry Raises Alarm

What makes the discovery especially concerning for defenders is the simplicity of execution.

Researchers also say a basic shell script running from a single compromised endpoint inside a protected network is sufficient to carry out the attack. No advanced malware framework or custom tooling is required.

The report also warns that AI-generated malware could easily automate the process at scale, potentially accelerating adoption among cybercriminal groups.

Links to China-Aligned Threat Groups

The technique has also been associated with activity tied to China-linked threat actors.

It was that noted similarities between Underminr and tunneling behaviors observed in campaigns involving SoftEtherVPN, a tool previously linked to groups including Flax Typhoon, Webworm, GALLIUM, MirrorFace, and ToddyCat.

The activity aligns with MITRE ATT&CK techniques T1133 (External Remote Services) and T1572 (Protocol Tunneling), researchers said.

Defenders Face Visibility Challenge

Security experts say the core issue lies in the disconnect between DNS filtering and transport-layer inspection.

Most enterprise security stacks treat DNS requests and encrypted HTTPS sessions as separate telemetry streams, leaving defenders unable to verify whether a resolved domain actually matches the destination being accessed over TLS.

Organisaions are recommend to monitor for mismatches between recently approved DNS lookups and the SNI or Host values observed in outbound connections to CDN edge infrastructure.

Additional mitigations include stripping ECH data from HTTPS and SVCB DNS responses and blocking known ECH-related domains such as cloudflare-ech.com.

Industry-Wide Implications

ADAMnetworks has launched an online exposure assessment tool, underminr.ai, allowing domain owners to determine whether their infrastructure is vulnerable to abuse.

Domains flagged “yellow” are considered vulnerable but not yet observed in active attacks, while “red” indicates confirmed abuse in known attack chains.

Researchers warned that if CDN-based evasion techniques like Underminr become widespread, confidence in protective DNS as a frontline security layer could significantly erode.

Such a shift, they cautioned, would undermine one of the internet’s most broadly deployed proactive defense mechanisms and force organisations to rethink how encrypted traffic is monitored across modern cloud infrastructure.

ByMatthew Giannelis
Follow:
Secondary editor and executive officer at Tech Business News. An IT support engineer for 20 years he's also an advocate for cyber security and anti-spam laws.
Previous Article Listicles Get You Cited by AI Search Results and AI Overviews How Simple, Well-Structured Listicles Get You Cited by AI Search Results and AI Overviews
Next Article Yubico Announces Upgraded YubiKey 5 FIPS Series Is Now FIPS 140-3 Validated Yubico’s Upgraded YubiKey 5 FIPS Series Achieves FIPS 140-3 Validation
Leave a Comment

Leave a Reply Cancel reply

You must be logged in to post a comment.

Cyber Security Underminr hackers bypass CDN IP

Tech Articles

Top Big Tech Companies 2026

The Big Tech Companies Actually Winning In 2026 — And Numbers That Prove It

Top tech companies in 2026 included AppLovin, AWS, Microsoft, Meta,…

May 20, 2026
Why is APAC losing the war on digital fraud

Why APAC is Losing Ground In The Fight Against Digital Fraud

Why APAC is losing the war on digital fraud is…

May 6, 2026
Why your nbn evening speeds slow down

Why Your NBN Slows Down at Night — And How To Find the Real Cause

NBN slow at night? ACCC data shows why evening speeds…

July 2, 2026

Recent News

Medibank hacked cyber attack
Cyber

Medibank confirms its customer data has been stolen by hackers.

2 Min Read
Tech News
CyberTechnology News

Cyber Security Risks in Australia’s Connected Transport Sector

8 Min Read
Gov flags new rules after Optus hack
Cyber

Federal Government Prepares New Data Breach Notification Rules After Optus Hack.

2 Min Read
Cyber

Microsoft Warns of New INC Ransomware Targeting The U.S. Healthcare Sector

3 Min Read
Tech News - Technology Business

Tech Business News

In 2026, technology news is shaping business outcomes faster than ever—driven by AI adoption, rising cyber risk, cloud modernisation, data regulation, and constant platform change.
 
Tech News keeps Australian organisations and industry professionals informed with timely reporting and practical coverage across AI, cybersecurity, cloud, enterprise IT, startups, science, people and business, plus major world and local news impacting the tech sector.
 
Tech Business News publishes news and analysis designed to be clear, relevant, and easy to act on. It supports the industry with technology news reports, whitepaper publishing services, and a range of media, advertising and publishing options 

About

About Us 
Contact Us 
Privacy Policy
Copyright Policy
Terms & Conditions

July, 13, 2026

Contact

Tech Business News
Melbourne, Australia
Werribee 3030
Phone: +61 431401041

Hours : Monday to Friday, 9am 530-pm.

Tech News

© Copyright Tech Business News 

Latest Australian Tech News – 2026

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?