Cyber Security News

Chinese CDN Exploiting AWS & Microsoft Cloud to Host Malicious Websites

A recent investigation by cybersecurity firm Silent Push has revealed how a China-linked Content Delivery Network (CDN), known as FUNNULL, is exploiting major cloud providers like Amazon Web Services (AWS) and Microsoft Azure to host malicious websites.

The technique, termed “infrastructure laundering,” allows cybercriminals to mask their activities by renting IP addresses from legitimate cloud services and mapping them to fraudulent domains.

This method enables phishing campaigns, investment scams, and money laundering operations, posing significant challenges for cloud providers and cybersecurity efforts.

Exploitation of Cloud Platforms

FUNNULL has reportedly rented over 1,200 IP addresses from AWS and nearly 200 from Azure, using stolen or fraudulent accounts to bypass detection.

Once acquired, these IPs are linked to malicious domains via DNS CNAME records, allowing the network to host over 200,000 unique hostnames, 95% of which are generated through Domain Generation Algorithms (DGAs).

Chinese CDN Chinese CDN
Map of FUNNULL CNAME Chains

These domains support scams targeting major brands like Bwin, Chanel, and eBay, as well as fake trading platforms and gambling websites.

The infrastructure laundering process relies on intermediaries that obscure the origins of criminal activities.

Unlike traditional “bulletproof hosting,” which resists takedown efforts entirely, infrastructure laundering leverages the credibility of mainstream cloud providers.

This makes it difficult for defenders to block malicious traffic without disrupting legitimate services hosted on the same platforms.

Challenges for Cloud Providers

Despite efforts by AWS and Azure to suspend fraudulent accounts linked to FUNNULL’s activities, the CDN continues to acquire new IPs at a rapid pace.

Silent Push’s research indicates that FUNNULL has been renting Microsoft IP space since at least 2021.

The persistent cycling of IP addresses highlights vulnerabilities in account verification processes and DNS monitoring systems used by cloud providers.

CNAME records for cmegrouphkpd[.]info

AWS has acknowledged the issue and emphasized its ongoing efforts to detect and suspend fraudulently acquired accounts.

However, Silent Push has raised concerns about the effectiveness of current measures, questioning why cloud providers are unable to identify such schemes in real time.

The firm suggests that better tracking of CNAME chains could help prevent illicit IP rentals more effectively.

FUNNULL’s operations have facilitated extensive cybercriminal activities linked to transnational organized crime groups such as Chinese Triads.

For example, dozens of fake Bwin gambling websites were discovered hosted on Microsoft infrastructure.

Additionally, FUNNULL was involved in a supply chain attack in 2024 that compromised the popular JavaScript library polyfill.io, impacting over 110,000 websites globally.

The network’s ability to blend malicious activities with legitimate web traffic complicates mitigation efforts.

Silent Push’s findings underscore the need for coordinated action among cloud providers, cybersecurity firms, and law enforcement agencies to address this growing threat.

As cybercriminals continue exploiting gaps in cloud infrastructure management, organizations must adopt robust security measures such as real-time monitoring tools, stricter account verification processes, and enhanced DNS tracking systems.

Collaborative efforts between stakeholders will be critical in combating this sophisticated form of cybercrime.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

2 hours ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

2 hours ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

17 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

17 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

18 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

19 hours ago