Hackers Exploit Shared CDN Edge IPs to Evade Protective DNS Filtering

ADAMnetworks describes “Underminr,” a stealthy evasion technique that leverages shared CDN edge IPs to route malicious traffic while DNS lookups appear to target benign domains. By initiating TLS connections with attacker-controlled SNI or Host values that differ from the resolved DNS name (or by connecting directly to CDN IPs or using ECH), adversaries can bypass DNS-based protections, establish covert C2 channels, and exfiltrate data; the report details attack modes, links the behavior to known APT tactics, and recommends correlating DNS, network, and application-layer signals for detection.