Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

The Hacker News by The Hacker News
February 5, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananFeb 05, 2026Web Security / Vulnerability

Cybersecurity researchers have disclosed details of an active web traffic hijacking campaign that has targeted NGINX installations and management panels like Baota (BT) in an attempt to route it through the attacker’s infrastructure.

Datadog Security Labs said it observed threat actors associated with the recent React2Shell (CVE-2025-55182, CVSS score: 10.0) exploitation using malicious NGINX configurations to pull off the attack.

“The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers,” security researcher Ryan Simon said. “The campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government and educational TLDs (.edu, .gov).”

The activity involves the use of shell scripts to inject malicious configurations into NGINX, an open-source reverse proxy and load balancer for web traffic management. These “location” configurations are designed to capture incoming requests on certain predefined URL paths and redirect them to domains under the attackers’ control via the “proxy_pass” directive.

The scripts are part of a multi-stage toolkit that facilitates persistence and the creation of malicious configuration files incorporating the malicious directives to redirect web traffic. The components of the toolkit are listed below –

  • zx.sh, which acts as the orchestrator to execute subsequent stages through legitimate utilities like curl or wget. In the event that the two programs are blocked, it creates a raw TCP connection to send an HTTP request
  • bt.sh, which targets the Baota (BT) Management Panel environment to overwrite NGINX configuration files
  • 4zdh.sh, which enumerates common Nginx configuration locations and takes steps to minimize errors when creating the new configuration
  • zdh.sh, which adopts a narrower targeting approach by focusing mainly on Linux or containerized NGINX configurations and targeting top-level domains (TLDs) such as .in and .id
  • ok.sh, which is responsible for generating a report detailing all active NGINX traffic hijacking rules

“The toolkit contains target discovery and several scripts designed for persistence and the creation of malicious configuration files containing directives intended to redirect web traffic.

The disclosure comes as GreyNoise said two IP addresses – 193.142.147[.]209 and 87.121.84[.]24 – account for 56% of all observed exploitation attempts two months after React2Shell was publicly disclosed. A total of 1,083 unique source IP addresses have been involved in React2Shell exploitation between January 26 and February 2, 2026.

“The dominant sources deploy distinct post-exploitation payloads: one retrieves cryptomining binaries from staging servers, while the other opens reverse shells directly to the scanner IP,” the threat intelligence firm said. “This approach suggests interest in interactive access rather than automated resource extraction.”

It also follows the discovery of a coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway infrastructure using tens of thousands of residential proxies and a single Microsoft Azure IP address (“52.139.3[.]76”) to discover login panels.

“The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint,” GreyNoise noted. “They had complementary objectives of both finding login panels, and enumerating versions, which suggests coordinated reconnaissance.”



Source link

The Hacker News

The Hacker News

Next Post
Post Office offered bailout to cover £104.4m IR35 tax bill linked to Horizon IT scandal | Computer Weekly

Post Office offered bailout to cover £104.4m IR35 tax bill linked to Horizon IT scandal | Computer Weekly

Recommended.

Mark Zuckerberg Details Meta’s Plan for Self-Improving, Superintelligent AI

Mark Zuckerberg Details Meta’s Plan for Self-Improving, Superintelligent AI

July 31, 2025
Tech can’t wait for regulation to protect children online | Computer Weekly

Tech can’t wait for regulation to protect children online | Computer Weekly

April 7, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio