Datadog Security Research has uncovered an active web traffic hijacking campaign that abuses malicious NGINX configurations to intercept and reroute legitimate user traffic through attacker-controlled infrastructure.
According to Datadog, the campaign is linked to threat actors previously associated with the React2Shell exploitation and is actively targeting NGINX installations across Asia, with a particular focus on systems using the Baota (BT) management panel and Chinese-hosted infrastructure. Affected domains span multiple Asian top-level domains, including .in, .id, .bd, .th, as well as government and education-related domains.
Rather than exploiting application-layer vulnerabilities, the attackers manipulate NGINX configuration files themselves, effectively turning a core component of web infrastructure into a covert traffic redirection mechanism. Once in place, the malicious configuration intercepts inbound requests and proxies them to backend servers controlled by the attackers, allowing traffic to be monitored or modified without obvious disruption to service.
Datadog researchers said the campaign relies on a multi-stage, automated toolkit designed to persist within compromised environments while minimising the risk of detection or downtime.
At the centre of the attack is a set of scripts that systematically enumerate NGINX configuration locations and inject malicious directives. These configurations abuse standard NGINX features such as proxy_pass, rewrite, proxy_set_header and location blocks to quietly redirect traffic while preserving expected request headers and session context.
The initial stage of the attack uses an orchestration script to deploy additional tooling once access is gained. Subsequent stages specifically target Baota-managed environments, dynamically modifying configuration files under the /www/server/panel/vhost/nginx directory. The scripts analyse existing server_name directives, select malicious templates based on the target’s top-level domain and insert traffic redirection rules while backing up original configuration lines to temporary files.
More advanced variants broaden their reach by scanning common NGINX directories such as /etc/nginx/sites-enabled, /etc/nginx/conf.d and /etc/nginx/sites-available. These scripts include additional safeguards to avoid corrupting configuration files, using tools such as awk and csplit, validating changes with nginx -t, and reloading services rather than restarting them where possible.
In Linux and container-focused environments, a streamlined variant narrows its targeting to specific directories and regional domains, but still applies configuration testing and controlled reloads to maintain availability. Where these measures fail, the attackers fall back to forcibly restarting NGINX processes.
The final stage of the toolkit focuses on reconnaissance and reporting. A dedicated script scans compromised systems to map all active traffic hijacking rules, recording which domains are being intercepted and where traffic is redirected. This data is written to temporary files and exfiltrated to an attacker-controlled command-and-control server, allowing operators to track and manage compromised assets at scale.
Datadog said the campaign highlights how misconfigurations or credential compromise in infrastructure software can have far-reaching consequences, particularly in environments where configuration changes are not closely monitored.
The company has published indicators of compromise and recommends that organisations running NGINX review configuration files for unauthorised proxying rules, unexpected rewrite logic and suspicious backend destinations, particularly in regions where management panels such as Baota are widely deployed.