A threat actor is compromising NGINX servers to hijack user traffic and reroute it through attacker-controlled infrastructure. The activity, uncovered by DataDog Security Labs, targets NGINX installations and Chinese Baota hosting management panels, with a focus on websites using Asian country-code top-level domains such as .in, .id, .pe, .bd, and .th, as well as government and educational domains ending in .gov and .edu.
Rather than exploiting a software vulnerability, the attackers modify legitimate NGINX configuration files by injecting malicious “location” blocks. The blocks capture requests for specific URL paths and forward them via the standard proxy_pass directive to backend servers controlled by the attackers.
Because proxy_pass is commonly used for load balancing and traffic management, the abuse blends in with normal operations and does not trigger security alerts. Key request headers, including Host, User-Agent, and X-Real-IP, are preserved to make the redirected traffic appear authentic.
The campaign relies on a multi-stage scripted toolkit that systematically locates NGINX configurations, injects malicious rules, validates changes, and reloads the service to avoid downtime.
zx.sh serves as the initial entry point and is executed once an attacker gains access. It acts as an orchestrator, triggering subsequent stages using standard utilities such as curl or wget.
bt.sh targets environments running the Baota (BT) Management Panel by enumerating a specific configuration file path. After confirming the target, the script checks the configuration file for any previously injected malicious proxy domains before proceeding with a new injection.
The 4zdh.sh script incorporates more advanced enumeration and error-handling mechanisms compared to bt.sh. It searches common Nginx configuration directories, including /etc/nginx/sites-enabled, /etc/nginx/conf.d, and /etc/nginx/sites-available, while also checking for the presence of the Baota Management Panel.
The four-stage zdh.sh script focuses on Linux or containerized Nginx deployments. It relies on path enumeration restricted to the /etc/nginx/sites-enabled directory and selectively targets top-level domains (TLDs) such as .in and .id.
Finally, ok.sh is responsible for generating a report of all active Nginx traffic hijacking rules. The information is then exfiltrated to the attacker’s command-and-control (C&C) server.