A newly documented cyberattack method is giving security professionals reason to reconsider how much trust they place in DNS-based defenses. Researchers at ADAMnetworks have identified a technique they call “Underminr” – a sophisticated evasion approach that weaponizes the shared IP architecture of major content delivery networks (CDNs) to smuggle malicious traffic past both protective DNS filters and Zero Trust security controls, all without triggering standard detection alerts.
The findings point to a blind spot that exists in the way most enterprise security stacks are built – one that could be exploited by threat actors ranging from opportunistic cybercriminals to well-resourced nation-state groups.
The Mechanics Behind the Deception
To understand why the attack works, it helps to know how CDNs handle traffic. Providers like Cloudflare routinely assign a single edge IP address to many different customer websites. When a connection arrives, the CDN figures out which site to serve by reading the Server Name Indication (SNI) field within the TLS handshake or the HTTP Host header sent by the connecting client.
Underminr exploits precisely this routing logic. An attacker first performs a DNS lookup for a trusted, legitimate domain β something a security tool would flag as entirely normal. They then use the IP address returned by that lookup to connect to CDN edge infrastructure, but swap out the SNI or Host header to point to a completely different, attacker-controlled domain hosted on the same shared IP range. The DNS query looks clean. The actual encrypted session tells a different story.
“This creates a dangerous blind spot,” researchers warned, noting that real-time correlation between DNS requests and the encrypted sessions that follow is rarely performed in standard enterprise environments.
Four Variants, Each Targeting a Different Defense Layer
Researchers catalogued four distinct versions of the technique, each engineered to defeat a specific category of security control.
The first, dubbed Simple Mode, is the baseline approach: resolve a trusted domain, then reroute the SNI toward a malicious server sharing the same CDN edge IP. The second variant -Split Mode – adds an extra layer of deception by completing a legitimate TLS handshake first, satisfying deep packet inspection tools, before opening a second hidden channel using the malicious SNI.
The third version, ECH Mode, takes advantage of Encrypted Client Hello (ECH), a relatively new privacy feature in TLS that conceals the SNI entirely within encrypted metadata. By hiding the true connection destination inside ECH, attackers can evade any tool that depends on reading plaintext SNI values. The fourth variant, Direct-to-IP Mode, bypasses the DNS layer altogether – connecting directly to CDN edge IPs without generating any DNS telemetry at all, leaving DNS monitoring solutions with nothing to analyze.
Researchers noted that even organizations running Microsoft’s Zero Trust DNS controls could remain exposed if they are not cross-referencing connection-level telemetry against DNS activity logs.
Alarming Simplicity
What adds urgency to the disclosure is how little technical sophistication the attack actually requires. According to the researchers, a basic shell script running from a single compromised endpoint inside a protected network is all that is needed to carry out the technique. No custom malware framework, no specialized tooling.
The research also flags the role that AI-generated malware could play in accelerating adoption – with automation potentially enabling cybercriminal groups to deploy the technique at scale with minimal effort.
Nation-State Connections
The technique has drawn comparisons to behaviors previously associated with China-linked threat actors. Researchers noted parallels between Underminr and tunneling activity seen in campaigns involving SoftEtherVPN, a tool connected to groups including Flax Typhoon, Webworm, GALLIUM, MirrorFace, and ToddyCat. The attack maps to two MITRE ATT&CK techniques: T1133 (External Remote Services) and T1572 (Protocol Tunneling).
What Defenders Are Up Against
The fundamental problem for security teams is structural. Most enterprise security architectures treat DNS telemetry and encrypted HTTPS sessions as separate, largely unconnected data streams. That gap means defenders often cannot verify whether the domain resolved in a DNS query actually matches the destination being accessed in the subsequent TLS session – which is precisely the gap Underminr is built to exploit.
Recommended mitigations include monitoring for discrepancies between recently approved DNS lookups and the SNI or Host header values observed in outbound connections to CDN edge nodes. Security teams are also advised to strip ECH data from HTTPS and SVCB DNS responses and block ECH-related domains such as cloudflare-ech.com.
Exposure Tool and Broader Stakes
ADAMnetworks has made an online assessment tool available at underminr.ai, enabling domain owners to check whether their infrastructure could be abused in an Underminr-style attack. Domains rated yellow are considered at risk but have not yet been observed in active attack chains, while those flagged red have confirmed ties to known exploitation activity.
Researchers cautioned that if CDN-based evasion methods like this gain traction in the threat landscape, confidence in protective DNS as a first line of defense could erode substantially – potentially forcing a fundamental rethink of how encrypted outbound traffic is monitored across modern cloud environments.
Leave a Reply
You must be logged in to post a comment.