Cybersecurity researchers at the computer security firm revealed last week an enormous web traffic hijacking campaign that’s been taking advantage of misconfigurations on NGINX installations. The campaign primarily targets Asian top-level domains (TLDs) such as .in and .id, and specifically aims at educational and government domains, including .edu and .gov. The attackers deploy a multi-stage toolkit full of malware-laden shell scripts. These scripts are meant to inject malicious configurations into an NGINX instance, potentially affecting millions of server infrastructures.
The current campaign so far has used 1,083 different unique source IP addresses. These addresses are abusing the React2Shell vulnerability between 26th January to 2nd February, 2026. Installer download After initial access was gained through this exploitation, moderate confidence was reported by researchers in the ability to … The attackers were manually creating CONFIGURATION files with malicious code. These files hijack genuine web activity and funnel it through their infrastructure.
Targeting NGINX Configurations
The movement has extensively used shell scripts such as 4zdh.sh. This script lists out standard NGINX configuration spots and addresses them to avoid mistakes when developing new configurations. A second script, zdh.sh, is for Linux / containerized NGINX installs and specifically for setup of top-level domains.
These scripts have become an essential piece of the attackers’ toolkit to establish persistence within the infected machines. The toolkit comes with supplementary scripts built specifically for the purpose of target discovery. They need to make sure that bad commands are being acid-tested into NGINX configs.
“The toolkit contains target discovery and several scripts designed for persistence and the creation of malicious configuration files containing directives intended to redirect web traffic,” – Datadog
Exploiting Hosting Infrastructure
The attackers under discussion here take advantage of targeted hosting environments, most notably the Baota (BT) Management Panel. Or they can botch it with bt.sh, clobbering all existing NGINX configuration files. This move empowers them to have even more control over the flow of internet traffic. This approach gives them incredible power to actually direct traffic around in powerful ways.
Even better, the campaign reflects a really smart overall approach. It explicitly employs maneuvers such as forcing raw TCP connections to bypass any filters that might be placed on the scripts. This flexibility increases the chances for successful interception of web traffic.
“The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers,” – Ryan Simon
Coordinated Efforts and Observations
Researchers have noted that the campaign operates with two primary modes: a wide-scale discovery operation targeting login panels utilizing residential proxy rotation and a focused effort to disclose versions hosted on AWS. This tapestry of attack underscores a disturbing level of coordination between these threat actors.
“They had complementary objectives of both finding login panels, and enumerating versions, which suggests coordinated reconnaissance,” – GreyNoise
