Do Son 
NGINX attack flow diagram showing how user requests are intercepted and routed through attacker-controlled servers | Image: Datadog Security Research
A new campaign is targeting the backbone of the web, compromising NGINX servers to silently redirect user traffic. Datadog Security Research has uncovered an active operation that targets NGINX installations and management panels like Baota (BT), injecting malicious configurations that hijack legitimate requests and route them to attacker-controlled servers.
The campaign, linked to actors previously associated with the React2Shell exploitation, focuses heavily on Asian top-level domains (TLDs) such as .in, .id, and .th, as well as educational and government sectors.
Unlike attacks that deface websites or encrypt data, this campaign is designed to be invisible. The attackers use a suite of automated scripts to inject specific directives into the NGINX configuration files.
“The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers,” the report explains.
By manipulating the proxy_pass and location directives, the attackers create a “shadow” routing system. When a user visits a specific path on a compromised siteβoften related to gambling terms like “pgslot,” or “live”βthe server silently proxies the request to a malicious domain.
The Datadog analysis breaks down the attack into a multi-stage process, orchestrated by a series of sophisticated shell scripts:
- Stage 1 (zx.sh): The entry point. This script acts as an orchestrator, downloading subsequent payloads. If standard tools like curl are blocked, it uses a clever fallback: “a Bash function capable of creating a raw TCP connection to send an HTTP request”.
- Stage 2 (bt.sh): Specifically targets the Baota (BT) management panel. It enumerates configuration paths and injects the redirect logic. To avoid detection, it “attempts an Nginx service reload command to instruct the loading of the malicious configuration, which maintains all existing connections”.
- Stage 3 (4zdh.sh): A more advanced injection tool. It validates the configuration using nginx -t before applying it, ensuring the server doesn’t crash and alert the admin. It even generates MD5 hashes to track which domains have already been infected.
- Stage 5 (ok.sh): The reporter. This script maps out the successful infections and exfiltrates the data to the attacker’s command and control (C2) server at 158.94.210[.]227.
The campaign’s targeting logic is precise. It uses dynamic templates based on the victim’s TLD. For example, .edu and .gov domains are specifically targeted with gambling-related keywords, likely to exploit their high SEO reputation for black-hat marketing.
“In this scenario, the path variable and proxy_pass directive within the malicious configuration are dynamically determined and substituted based on the specific domain name,” the report notes.
This incident highlights the critical importance of monitoring server configurations. For NGINX administrators, the presence of unexpected location blocks or proxy directives pointing to unknown domains is a clear indicator of compromise.
Related Posts:
- NGINX Open Source Makes the Jump to GitHub, Boosting Collaboration and Community Engagement
- Australia Bans Kaspersky Products from Government Systems, Citing “Unacceptable Security Risk”
- AWS Under Siege: Attackers Target Vaults, Buckets, and Secrets in Widespread Campaign
- NGINX Makes HTTPS Easier Than Ever with New ACME Module
- CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
