Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Active Web Traffic Hijacking Campaign Targets NGINX Installations

Cybersecurity researchers have disclosed details of an active web traffic hijacking campaign that has targeted NGINX installations and management panels like Baota (BT) in an attempt to route traffic through the attacker's infrastructure.

Campaign Overview

Datadog Security Labs observed threat actors associated with the React2Shell CVE-2025-55182 (CVSS 10.0) exploitation using malicious NGINX configurations to execute this attack.

Attack Characteristics: - Intercepts legitimate web traffic between users and websites
- Routes traffic through attacker-controlled backend servers
- Targets Asian TLDs (.in, .id, .pe, .bd, .th)
- Focuses on Chinese hosting infrastructure (Baota Panel)
- Exploits government and educational domains (.edu, .gov)

Attack Mechanism

The campaign uses shell scripts to inject malicious configurations into NGINX, an open-source reverse proxy and load balancer. These "location" configurations capture incoming requests on predefined URL paths and redirect them to attacker-controlled domains via the "proxy_pass" directive.

Multi-Stage Toolkit Components

The attack toolkit includes multiple specialized scripts:

- zx.sh: Orchestrator executing subsequent stages via curl, wget, or raw TCP connections
- bt.sh: Targets Baota Management Panel to overwrite NGINX configuration files
- 4zdh.sh: Enumerates common NGINX configuration locations, minimizes errors during new configuration creation
- zdh.sh: Adopts narrower targeting for Linux/containerized NGINX, focuses on TLDs like .in and .id
- ok.sh: Generates reports detailing all active NGINX traffic hijacking rules

Initial Access Vector

Researchers assessed with "moderate confidence" that threat actors obtained initial access following the exploitation of React2Shell vulnerabilities.

Broader Threat Context

GreyNoise reported that two IP addresses account for 56% of all observed React2Shell exploitation attempts two months after public disclosure:
- 193.142.147[.]209
- 87.121.84[.]24

A total of 1,083 unique source IP addresses have been involved in React2Shell exploitation between January 26 and February 2, 2026.

Post-Exploitation Objectives: - One attacker group deploys cryptomining binaries
- Another group opens reverse shells for interactive access
- Suggests preference for direct infrastructure control over automated resource extraction

Related Reconnaissance Campaigns

The disclosure follows discovery of coordinated reconnaissance targeting Citrix ADC Gateway and Netscaler Gateway infrastructure using:
- Tens of thousands of residential proxies
- Single Microsoft Azure IP address (52.139.3[.]76)
- Massive distributed login panel discovery operations
- Concentrated version enumeration campaigns

TL;DR

- Active NGINX traffic hijacking campaign exploits React2Shell vulnerability for initial access
- Malicious shell scripts inject proxy_pass directives to route legitimate traffic through attacker infrastructure
- Targets Asian TLDs, Chinese hosting providers, and .edu/.gov domains across Asia
- 56% of React2Shell exploitation comes from just 2 IPs; suggests coordinated, well-resourced threat actors

Source: The Hacker News