Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Staff Editor 2026-02-04
Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

https://thehackernews.com/2026/02/hackers-exploit-react2shell-to-hijack.html

Publish Date: 2026-02-04 23:56:00

Source Domain: thehackernews.com

Ravie LakshmananFeb 05, 2026Web Security / Vulnerability

Cybersecurity researchers have disclosed details of an active web traffic hijacking campaign that has targeted NGINX installations and management panels like Baota (BT) in an attempt to route it through the attacker’s infrastructure.

Datadog Security Labs said it observed threat actors associated with the recent React2Shell (CVE-2025-55182, CVSS score: 10.0) exploitation using malicious NGINX configurations to pull off the attack.

“The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers,” security researcher Ryan Simon said. “The campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government and educational TLDs (.edu, .gov).”

The activity involves the use of shell scripts to inject malicious configurations into NGINX, an open-source reverse proxy and load balancer for web traffic management. These “location” configurations are designed to capture incoming requests on certain predefined URL paths and redirect them to domains under the attackers’ control via the “proxy_pass” directive.

The scripts are part of a multi-stage toolkit that facilitates persistence and the creation of malicious configuration files incorporating the malicious directives to redirect web traffic. The components of the toolkit are listed below –

  • zx.sh, which acts as the orchestrator to execute subsequent stages through legitimate utilities like curl or wget. In the event that the two programs are blocked, it creates a raw TCP connection to send an HTTP request
  • bt.sh, which targets the Baota (BT) Management Panel environment to overwrite NGINX configuration files
  • 4zdh.sh, which enumerates common Nginx configuration locations and takes steps to minimize errors when creating the new configuration
  • zdh.sh, which adopts a narrower targeting approach by focusing mainly on Linux or…

Source

More Stories

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

Staff Editor 2026-06-06
Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Staff Editor 2026-06-06
Are connected electric vehicles safe? The top threats they face

Are connected electric vehicles safe? The top threats they face

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy