Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Global Web Traffic Hijacking Campaign Targets NGINX Servers, Redirects Users to Attacker Infrastructure

By Ravie Lakshmanan
February 5, 2026
Web Security / Vulnerability

A sophisticated and highly targeted web traffic hijacking campaign has been uncovered by cybersecurity researchers at Datadog Security Labs, revealing an active threat actor operation that is compromising NGINX web server installations and Baota (BT) management panels across Asia and beyond.

The Anatomy of a Stealthy Attack

The campaign represents one of the most concerning developments in web infrastructure security this year, with attackers deploying multi-stage toolkits to intercept legitimate web traffic and route it through their own malicious backend servers. The operation specifically targets Asian top-level domains including .in, .id, .pe, .bd, and .th, while also focusing on Chinese hosting infrastructure through Baota Panel exploitation.

“The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers,” explained Ryan Simon, security researcher at Datadog. “This represents a fundamental compromise of trust in web infrastructure.”

Technical Deep Dive: How the Hijacking Works

At its core, the attack exploits NGINX’s powerful reverse proxy capabilities through the strategic injection of malicious configuration files. These configurations use NGINX’s “location” directive to capture incoming requests on specific URL paths, then redirect them using the “proxy_pass” directive to domains controlled by the attackers.

The toolkit employed by threat actors consists of five sophisticated shell scripts working in concert:

zx.sh – The master orchestrator that executes subsequent stages through legitimate utilities like curl or wget. When these tools are blocked, the script demonstrates remarkable adaptability by creating raw TCP connections to send HTTP requests directly.

bt.sh – Specifically targets Baota (BT) Management Panel environments, overwriting NGINX configuration files with malicious directives.

4zdh.sh – Performs comprehensive enumeration of common NGINX configuration locations while implementing error-minimization techniques when creating new configurations.

zdh.sh – Takes a more surgical approach by focusing on Linux and containerized NGINX configurations, particularly targeting top-level domains like .in and .id.

ok.sh – Generates detailed reports documenting all active NGINX traffic hijacking rules, providing attackers with real-time visibility into their compromised infrastructure.

The Scale of the Threat

The timing of this discovery coincides with alarming statistics from GreyNoise, which reported that two specific IP addresses – 193.142.147[.]209 and 87.121.84[.]24 – account for 56% of all observed React2Shell exploitation attempts within just two months of the vulnerability’s public disclosure.

Between January 26 and February 2, 2026, a staggering 1,083 unique source IP addresses have been involved in React2Shell exploitation attempts, demonstrating the widespread nature of this threat landscape.

“The dominant sources deploy distinct post-exploitation payloads: one retrieves cryptomining binaries from staging servers, while the other opens reverse shells directly to the scanner IP,” GreyNoise noted. “This approach suggests interest in interactive access rather than automated resource extraction.”

Beyond NGINX: Coordinated Infrastructure Reconnaissance

The discovery of this NGINX hijacking campaign comes alongside revelations of another sophisticated operation targeting Citrix ADC Gateway and Netscaler Gateway infrastructure. This campaign utilized tens of thousands of residential proxies combined with a single Microsoft Azure IP address (52.139.3[.]76) to conduct massive login panel discovery operations.

“The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint,” researchers observed. “They had complementary objectives of both finding login panels, and enumerating versions, which suggests coordinated reconnaissance.”

Implications for Global Cybersecurity

This multi-faceted campaign represents a significant escalation in web infrastructure attacks, combining sophisticated technical capabilities with strategic targeting of specific geographic regions and infrastructure types. The use of legitimate management panels like Baota, combined with the exploitation of critical vulnerabilities like React2Shell, demonstrates attackers’ increasing sophistication and resourcefulness.

The campaign’s focus on government and educational TLDs (.edu, .gov) raises serious concerns about potential espionage activities and data exfiltration operations targeting sensitive institutional information.

Protection and Mitigation Strategies

Organizations running NGINX servers, particularly those using Baota management panels, are strongly advised to implement immediate security measures:

  1. Audit all NGINX configuration files for unauthorized modifications
  2. Implement strict access controls on configuration directories
  3. Monitor for unusual traffic patterns or unexpected proxy configurations
  4. Apply all relevant security patches, particularly for React2Shell vulnerabilities
  5. Deploy web application firewalls capable of detecting malicious proxy configurations

The Broader Context

This campaign emerges against a backdrop of increasingly sophisticated web infrastructure attacks, where threat actors are moving beyond traditional exploitation to compromise the very foundation of internet trust. By hijacking legitimate web traffic flows, attackers can conduct surveillance, data theft, or deliver malicious content while maintaining plausible deniability.

The technical sophistication demonstrated by these threat actors – including their ability to adapt to defensive measures, use legitimate infrastructure for malicious purposes, and coordinate complex multi-stage attacks – represents a concerning evolution in the cyber threat landscape.

As organizations worldwide grapple with these emerging threats, the importance of proactive security measures, continuous monitoring, and rapid incident response capabilities has never been more critical. The NGINX hijacking campaign serves as a stark reminder that in today’s threat environment, no infrastructure is immune from sophisticated attack campaigns.

Tags & Viral Elements

  • 🚨 Massive Web Traffic Hijacking Campaign
  • ⚡ NGINX Servers Under Attack
  • 🕵️‍♂️ Sophisticated Multi-Stage Toolkit
  • 🌏 Asia-Targeted Infrastructure Attacks
  • 🔥 React2Shell Vulnerability Exploitation
  • 🛡️ Critical Security Alert
  • 💻 Web Infrastructure Compromise
  • 🎯 Government and Educational Targets
  • 🔍 Residential Proxy Reconnaissance
  • 🔒 Urgent Security Update Needed
  • 📊 1,083 Attackers Active
  • 🎯 56% Traffic from 2 IPs
  • 🎯 Baota Management Panel Exploitation
  • 🎯 Government Infrastructure at Risk
  • 🎯 Educational Institutions Targeted
  • 🎯 Asian TLD Focus
  • 🎯 Critical Infrastructure Threat
  • 🎯 Web Traffic Redirection
  • 🎯 Proxy Pass Directive Abuse
  • 🎯 Multi-Stage Attack Toolkit
  • 🎯 Shell Script Orchestration
  • 🎯 Configuration File Injection
  • 🎯 Traffic Hijacking Campaign
  • 🎯 Datadog Security Labs Discovery
  • 🎯 GreyNoise Threat Intelligence
  • 🎯 Citrix Gateway Targeting
  • 🎯 Residential Proxy Networks
  • 🎯 AWS and Azure Infrastructure
  • 🎯 Interactive Access Focus
  • 🎯 Cryptomining Payload Delivery
  • 🎯 Reverse Shell Operations
  • 🎯 Coordinated Reconnaissance
  • 🎯 Web Trust Compromise
  • 🎯 Internet Infrastructure Attack
  • 🎯 Sophisticated Threat Actors
  • 🎯 Technical Evolution
  • 🎯 Security Landscape Shift
  • 🎯 Proactive Defense Needed
  • 🎯 Continuous Monitoring Critical
  • 🎯 Rapid Incident Response
  • 🎯 Infrastructure Immunity Myth
  • 🎯 Cyber Threat Evolution
  • 🎯 Web Infrastructure Security
  • 🎯 Trust Foundation Compromise
  • 🎯 Data Exfiltration Risk
  • 🎯 Espionage Activity Potential
  • 🎯 Sensitive Information Targeting
  • 🎯 Institutional Data Theft
  • 🎯 Malicious Content Delivery
  • 🎯 Plausible Deniability Operations
  • 🎯 Legitimate Infrastructure Abuse
  • 🎯 Defensive Measure Adaptation
  • 🎯 Complex Attack Coordination
  • 🎯 Resourceful Threat Actors
  • 🎯 Strategic Geographic Targeting
  • 🎯 Infrastructure Type Focus
  • 🎯 Security Patch Urgency
  • 🎯 Web Application Firewall
  • 🎯 Configuration Directory Controls
  • 🎯 Traffic Pattern Monitoring
  • 🎯 Unauthorized Modification Detection
  • 🎯 Management Panel Security
  • 🎯 Open Source Compromise
  • 🎯 Load Balancer Exploitation
  • 🎯 Reverse Proxy Abuse
  • 🎯 URL Path Interception
  • 🎯 Backend Server Redirection
  • 🎯 Attacker Infrastructure Routing
  • 🎯 Web Traffic Interception
  • 🎯 User Data Compromise
  • 🎯 Website Trust Violation
  • 🎯 Internet Security Crisis
  • 🎯 Global Cybersecurity Threat
  • 🎯 Infrastructure Attack Escalation
  • 🎯 Web Trust Erosion
  • 🎯 Digital Infrastructure Vulnerability
  • 🎯 Online Security Emergency
  • 🎯 Network Traffic Hijacking
  • 🎯 DNS Infrastructure Attack
  • 🎯 Web Server Compromise
  • 🎯 Internet Routing Attack
  • 🎯 Cybersecurity Emergency
  • 🎯 Digital Trust Crisis
  • 🎯 Infrastructure Security Failure
  • 🎯 Web Traffic Manipulation
  • 🎯 Online Infrastructure Attack
  • 🎯 Network Security Breach
  • 🎯 Web Security Emergency
  • 🚨 Critical Infrastructure Under Attack
  • 🚨 Web Traffic Hijacking Discovered
  • 🚨 NGINX Servers Compromised
  • 🚨 Sophisticated Cyber Attack
  • 🚨 Government Targets at Risk
  • 🚨 Educational Institutions Targeted
  • 🚨 Asian Infrastructure Under Threat
  • 🚨 Critical Security Vulnerability
  • 🚨 Multi-Stage Attack Campaign
  • 🚨 Shell Script Exploitation
  • 🚨 Configuration File Injection
  • 🚨 Proxy Pass Abuse
  • 🚨 Traffic Redirection Attack
  • 🚨 Web Infrastructure Compromise
  • 🚨 Internet Trust Violation
  • 🚨 Data Exfiltration Risk
  • 🚨 Espionage Operation Suspected
  • 🚨 Sensitive Information at Risk
  • 🚨 Malicious Content Delivery
  • 🚨 Plausible Deniability Attack
  • 🚨 Legitimate Infrastructure Abuse
  • 🚨 Defensive Measure Bypass
  • 🚨 Complex Attack Coordination
  • 🚨 Resourceful Threat Actors
  • 🚨 Strategic Targeting Operation
  • 🚨 Geographic Infrastructure Focus
  • 🚨 Security Patch Critical
  • 🚨 Web Application Firewall Needed
  • 🚨 Configuration Control Essential
  • 🚨 Traffic Monitoring Required
  • 🚨 Unauthorized Access Detection
  • 🚨 Management Panel Security
  • 🚨 Open Source Vulnerability
  • 🚨 Load Balancer Exploitation
  • 🚨 Reverse Proxy Compromise
  • 🚨 URL Path Interception
  • 🚨 Backend Server Redirection
  • 🚨 Attacker Infrastructure Routing
  • 🚨 Web Traffic Interception
  • 🚨 User Data Compromise
  • 🚨 Website Trust Violation
  • 🚨 Internet Security Crisis
  • 🚨 Global Cybersecurity Threat
  • 🚨 Infrastructure Attack Escalation
  • 🚨 Web Trust Erosion
  • 🚨 Digital Infrastructure Vulnerability
  • 🚨 Online Security Emergency
  • 🚨 Network Traffic Hijacking
  • 🚨 DNS Infrastructure Attack
  • 🚨 Web Server Compromise
  • 🚨 Internet Routing Attack
  • 🚨 Cybersecurity Emergency
  • 🚨 Digital Trust Crisis
  • 🚨 Infrastructure Security Failure
  • 🚨 Web Traffic Manipulation
  • 🚨 Online Infrastructure Attack
  • 🚨 Network Security Breach
  • 🚨 Web Security Emergency

,

/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *