Threat Actors Exploiting NGINX Servers to Redirect Web Traffic to Malicious Sites

   February 5, 2026  Posted in GBHackers


A new cyber campaign where attackers are hijacking web servers to redirect visitors to malicious websites .

The campaign targets NGINX, a popular web server software, and specifically focuses on servers using the Baota (BT) management panel.

The attackers, linked to previous “React2Shell” activity, modify the server’s configuration files to secretly intercept traffic .

How the Attack Works

The core of this attack involves altering NGINX configuration files. NGINX uses these files to decide how to handle web requests.

Exploiting NGINX Servers Attack flow

Attackers inject malicious rules into the location blocks of these files .

When a user visits a compromised site, the malicious configuration uses the proxy_pass directive to send the user’s request to a server controlled by the hackers, rather than the legitimate website.

This allows the attackers to serve fake content, such as gambling or scam pages, without the site owner immediately noticing .

The Attack Toolkit: Step-by-Step

Datadog Security Labs researchers analysed the specific scripts used in this campaign, revealing a five-stage process :

  1. Stage 1: The Orchestrator (zx.sh)
    This script is the entry point. Once attackers breach a server, they run zx.sh. It acts as a manager, downloading and running the other necessary scripts. It can even create raw network connections if standard tools like curl are blocked .
  2. Stage 2: Baota Panel Injection (bt.sh)
    This script specifically targets the Baota management panel. It scans for configuration files and injects malicious code based on the website’s domain name (TLD). It is designed to be stealthy, checking for previous infections before overwriting files and reloading the server .
  3. Stage 3: Advanced Injection (4zdh.sh)
    This is a more complex version of the previous script. It targets standard Linux NGINX folders (like /etc/nginx/sites-enabled) and includes error checking. It verifies the configuration is valid before restarting the service to avoid crashing the website and alerting the owner .
  4. Stage 4: Linux Targeted Injection (zdh.sh)
    This script focuses on containerized environments and specific domains, such as .in (India) and .id (Indonesia). It uses aggressive methods to restart the server if a standard reload fails .
  5. Stage 5: Reporting (ok.sh)
    Finally, this script scans the infected server to see which domains have been successfully hijacked. It creates a report and sends it back to the attacker’s Command and Control (C2) server, allowing them to track their new victims .

This campaign highlights the importance of securing server configurations. Administrators should regularly check their NGINX location blocks for unexpected proxy_pass directives pointing to unknown domains .

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link