Cybersecurity researchers have uncovered a stealthy new attack technique that allows hackers to bypass one of the internet’s most widely trusted security controls by abusing shared infrastructure inside major content delivery networks (CDNs).
The method, dubbed “Underminr” by researchers at ADAMnetworks, enables attackers to route malicious traffic through trusted CDN edge IP addresses, effectively hiding malicious communications behind legitimate domains without triggering DNS-based security alerts.
The discovery raises fresh concerns about the reliability of protective DNS filtering and Zero Trust network controls that many enterprises rely on to detect and block malicious traffic.
How the Attack Works
CDNs such as Cloudflare and other major providers commonly assign the same edge IP address to multiple customer websites.
When traffic arrives at a shared IP, the CDN determines which customer site to serve by reading the Server Name Indication (SNI) field during the TLS handshake or the HTTP Host header.
Researchers say attackers are now exploiting that routing logic.
In practice, threat actors first resolve a legitimate and trusted domain name to obtain its CDN edge IP address.
They then connect to that IP while secretly directing the SNI or Host header toward a completely different, attacker-controlled domain hosted on the same CDN infrastructure.
To security systems inspecting only DNS activity, the traffic appears benign because the original domain lookup was legitimate. The actual malicious connection, however, is established behind the scenes.
“This creates a dangerous blind spot,” researchers warned, noting that the DNS request and the actual encrypted session are often never correlated in real time.
“Underminr” Variants Evade Multiple Defenses
Researchers identified four separate versions of the technique, each tailored to bypass different layers of network security.
- Simple Mode involves resolving a trusted domain before redirecting traffic through a deceptive SNI value tied to a malicious server sharing the same CDN edge IP.
- Split Mode takes the deception further by first performing a legitimate TLS handshake to satisfy deep packet inspection systems before opening a second hidden connection using the malicious SNI.
- ECH Mode abuses Encrypted Client Hello (ECH), a newer privacy feature designed to encrypt SNI data. By hiding the true destination inside encrypted TLS metadata, attackers can evade tools that rely on inspecting plaintext SNI values.
- Direct-to-IP Mode eliminates DNS queries entirely, allowing attackers to communicate directly with CDN edge IPs without generating any DNS telemetry at all.
According to the researchers, even organizations using hardened DNS protections — including Microsoft’s Zero Trust DNS controls — may remain vulnerable if connection-level telemetry is not cross-checked against DNS activity.
Low Barrier to Entry Raises Alarm
What makes the discovery especially concerning for defenders is the simplicity of execution.
Researchers also say a basic shell script running from a single compromised endpoint inside a protected network is sufficient to carry out the attack. No advanced malware framework or custom tooling is required.
The report also warns that AI-generated malware could easily automate the process at scale, potentially accelerating adoption among cybercriminal groups.
Links to China-Aligned Threat Groups
The technique has also been associated with activity tied to China-linked threat actors.
It was that noted similarities between Underminr and tunneling behaviors observed in campaigns involving SoftEtherVPN, a tool previously linked to groups including Flax Typhoon, Webworm, GALLIUM, MirrorFace, and ToddyCat.
The activity aligns with MITRE ATT&CK techniques T1133 (External Remote Services) and T1572 (Protocol Tunneling), researchers said.
Defenders Face Visibility Challenge
Security experts say the core issue lies in the disconnect between DNS filtering and transport-layer inspection.
Most enterprise security stacks treat DNS requests and encrypted HTTPS sessions as separate telemetry streams, leaving defenders unable to verify whether a resolved domain actually matches the destination being accessed over TLS.
Organisaions are recommend to monitor for mismatches between recently approved DNS lookups and the SNI or Host values observed in outbound connections to CDN edge infrastructure.
Additional mitigations include stripping ECH data from HTTPS and SVCB DNS responses and blocking known ECH-related domains such as cloudflare-ech.com.
Industry-Wide Implications
ADAMnetworks has launched an online exposure assessment tool, underminr.ai, allowing domain owners to determine whether their infrastructure is vulnerable to abuse.
Domains flagged “yellow” are considered vulnerable but not yet observed in active attacks, while “red” indicates confirmed abuse in known attack chains.
Researchers warned that if CDN-based evasion techniques like Underminr become widespread, confidence in protective DNS as a frontline security layer could significantly erode.
Such a shift, they cautioned, would undermine one of the internet’s most broadly deployed proactive defense mechanisms and force organisations to rethink how encrypted traffic is monitored across modern cloud infrastructure.
