Hackers abuse shared CDN infrastructure to hide malicious traffic behind trusted domains
9 min. read 
Published on
Security researchers are warning about Underminr, a technique that lets attackers hide malicious traffic behind trusted domains hosted on shared CDN infrastructure. The method can help command-and-control traffic, proxy connections, phishing activity, and malware delivery slip past tools that rely too heavily on DNS or domain reputation checks.
A Rescana alert describes Underminr as an actively exploited weakness in shared content delivery network infrastructure. The issue is not a traditional software bug with a simple patch. It comes from how some CDNs route traffic for many tenants through shared edge systems.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The concern is scale. ADAMnetworks says roughly 88 million domains may be exposed to this class of abuse, according to an ADAMnetworks announcement. The company says the problem affects shared hosting and CDN environments where defenders do not correlate DNS decisions, edge IPs, SNI, Host headers, and tenant routing.
What Underminr does
Underminr allows a connection to appear tied to a reputable domain while the traffic reaches another domain on shared infrastructure. This can undermine tools that allow or block traffic based mainly on DNS lookups, domain reputation, or visible TLS information.
The Underminr technical report explains the gap this way: a device may resolve an allowed domain and connect to a CDN edge IP, while the actual routed hostname can differ because of how shared CDN routing handles SNI and Host information.
That creates a defensive blind spot. A network tool may see a request associated with a trusted domain and allow it, even though the traffic supports an attacker-controlled destination hosted on the same shared edge ecosystem.
Key details at a glance
| Item | Details |
|---|---|
| Technique name | Underminr |
| Main target | Shared CDN and hosting infrastructure |
| Primary abuse | Traffic concealment behind trusted domains |
| Potential uses | C2, proxy traffic, phishing, malware delivery, and policy evasion |
| Reported scale | About 88 million domains potentially affected, according to ADAMnetworks |
| CVE status | No public CVE assigned as of this writing |
| Core problem | Architectural routing and visibility gaps, not one vulnerable software version |
How it differs from classic domain fronting
Underminr is similar to domain fronting because both techniques can make traffic look like it is going to a trusted domain while the real destination differs. However, the mechanics are not identical.
SC World explains that traditional domain fronting used a trusted domain in the SNI field while placing the real destination in the encrypted HTTP Host header. Many major CDNs moved to block that older mismatch pattern years ago.
Underminr works around some of those older protections. Instead of relying on the same SNI and Host mismatch, it can use a DNS-resolved destination and shared edge routing conditions that allow a different hosted name to complete the connection.
Why domain reputation controls can miss it
Many organizations still rely on domain reputation as a major layer of outbound defense. That can work well against newly registered malicious domains, but it becomes weaker when traffic appears associated with a legitimate CDN-backed domain.
SecurityWeek reported that Underminr can bypass DNS filtering and hide command-and-control traffic. The report also noted that attacks may use malicious applications or simple shell scripts running from inside a protected network.
This makes the problem harder to block without context. If a company blocks the high-reputation front domain, it may disrupt legitimate business traffic. If it allows the domain blindly, it may let malicious connections pass.
Why shared CDN infrastructure creates the opening
CDNs route traffic for many customers through shared edge systems. This design improves speed, reliability, and global availability, but it also creates complex routing relationships between DNS, TLS, HTTP, and tenant configuration.
Attackers can register their own domain with a CDN that also serves trusted domains. If the right shared-edge conditions exist, they can craft traffic that benefits from the trusted domain’s reputation while reaching infrastructure they control.
The Rescana analysis says this can help attackers deliver C2 traffic, malware, and phishing campaigns at scale because security appliances may see the connection as legitimate.
What attackers can do with Underminr
- Hide command-and-control traffic behind trusted CDN-backed domains.
- Bypass protective DNS and domain-reputation filtering.
- Create proxy or VPN-style channels that look like normal HTTPS traffic.
- Run phishing or malware delivery infrastructure with less obvious domain risk.
- Interleave malicious traffic with ordinary traffic over shared infrastructure.
- Make blocking harder by forcing defenders to consider collateral damage.
HTTP/2 and multiplexing can add more noise
HTTP/2 allows multiple streams to run over one connection. That design improves performance, but it can also make traffic analysis more complex when malicious and legitimate-looking requests appear close together.
The technical write-up describes Underminr as a detection gap that appears when defenders do not correlate DNS decisions, edge IPs, SNI, Host headers, and CDN tenant routing. Without that correlation, one layer may look safe while another layer points somewhere else.
For defenders, the lesson is direct. Inspecting only one signal no longer gives enough confidence. Teams need to compare several signals across the connection lifecycle.
Why older domain-fronting lessons still matter
Domain fronting has a long history in censorship circumvention and attacker tradecraft. The technique became well known because it used trusted CDN-hosted domains to hide the real target of HTTPS traffic.
A Zscaler analysis explains that domain fronting can hide the true destination of an HTTPS request by using a trusted domain at one layer and another host inside the request. It also notes that adversaries have used CDN routing schemes to disguise C2 traffic.
Underminr revives the same defensive problem in a different form. Security teams must identify the actual destination of traffic, not only the name that looks safe at the first inspection point.
Attribution remains unclear
The current public reporting does not confirm one threat actor behind Underminr exploitation. Reports discuss possible value for espionage groups, financially motivated criminals, malware operators, and AI-assisted campaigns, but direct attribution remains unproven.
SC World notes that domain fronting was historically used by APT29, also known as Cozy Bear, but that is a comparison to older activity. It does not prove that APT29 or any other specific group is behind current Underminr abuse.
This distinction matters for defenders. The technique has broad value, so organizations should prepare for use by many types of actors rather than wait for a single named group to appear in alerts.
What security teams should monitor
| Signal | Why it matters |
|---|---|
| DNS answer and edge IP | Shows which domain produced the connection path |
| TLS SNI | Shows the hostname presented during TLS negotiation |
| HTTP Host header | Shows the hostname requested after TLS is established |
| CDN tenant mapping | Helps identify whether traffic reaches an unexpected tenant |
| Outbound HTTPS patterns | Can reveal unusual traffic volume to trusted domains |
| New shell scripts or unknown apps | May launch hidden connections from inside the network |
Recommended defensive steps
- Correlate DNS lookups, destination IPs, TLS SNI, and HTTP Host headers where privacy and policy allow.
- Review outbound traffic to trusted CDN-backed domains for unusual timing, volume, or client behavior.
- Do not rely only on domain reputation or protective DNS decisions for egress control.
- Use TLS inspection for high-risk environments where legal, privacy, and operational requirements allow it.
- Ask CDN providers what tenant-isolation and routing mitigations they support.
- Monitor scripts and unknown applications that create outbound HTTPS sessions to shared hosting providers.
- Feed confirmed attacker-controlled domains into security tools, but pair them with behavior analytics.
Why blocking trusted domains is not a practical answer
The hardest part of Underminr defense is collateral damage. Trusted domains often sit on the same CDN infrastructure as thousands of other domains, including business-critical services.
Blocking a major CDN-backed domain because it can be abused may break normal cloud, SaaS, content, or application traffic. That is why defenders need better connection validation instead of broad domain blocking.
SecurityWeek also reported that roughly 88 million domains may be affected, with the United States, the United Kingdom, and Canada among the most impacted regions. That scale makes selective, context-aware defense more realistic than blanket blocking.
How CDN providers fit into the fix
Organizations cannot solve the issue alone. CDN and hosting providers control the shared routing systems that make this class of traffic possible.
The ADAMnetworks disclosure says the company shared intelligence with industry partners and released a way for defenders to test exposure. It also says providers and defenders will need to collaborate because the issue sits inside shared internet infrastructure.
Enterprises should ask providers about tenant isolation, SNI and Host validation, routing consistency checks, logging visibility, and detection support for shared-edge abuse.
The bigger picture
Underminr shows why the security model around outbound web traffic needs to evolve. Attackers increasingly abuse trusted platforms, shared infrastructure, and normal protocols because blocking them creates too much business disruption.
The Zscaler domain-fronting research reached a similar conclusion for older CDN abuse: defenders need visibility into the real target of HTTPS traffic, not only the hostname that appears reputable at connection start.
For organizations, the practical response is layered. Keep domain reputation controls, but add correlation, behavior analytics, egress monitoring, and direct engagement with CDN providers. Underminr does not make reputation useless, but it shows why reputation alone cannot carry modern web security.
FAQ
Underminr is a CDN and shared-hosting abuse technique that can make malicious traffic appear connected to trusted domains while routing it to another hosted destination on shared infrastructure.
No. Public reports describe Underminr as an architectural abuse of shared CDN and hosting infrastructure, not a single software bug tied to one version or one vendor patch.
It can make a connection look associated with a reputable domain while the routed traffic reaches another hosted name. Tools that only check DNS, SNI, or reputation may allow the connection without seeing the full routing context.
Classic domain fronting usually relied on a mismatch between TLS SNI and the encrypted HTTP Host header. Underminr uses a different shared-edge routing mismatch involving DNS resolution, CDN edge IPs, SNI, Host headers, and tenant routing.
Organizations should correlate DNS, edge IP, SNI, Host header, and traffic behavior, monitor unusual outbound HTTPS sessions to trusted CDN-backed domains, and ask CDN providers about tenant isolation and routing validation controls.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages