Tech News
← Back to articles

Hackers compromise NGINX servers to redirect user traffic

2026-02-04 | original
read original related products more articles

A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure.

NGINX is open-source software for web traffic management. It intermediates connections between users and servers and is employed for web serving, load balancing, caching, and reverse proxying.

The malicious campaign, discovered by researchers at DataDog Security Labs, targets NGINX installations and Baota hosting management panels used by sites with Asian top-level domains (.in, .id, .pe, .bd, and .th) and government and educational sites (.edu and .gov).

Attackers modify existing NGINX configuration files by injecting malicious ‘location’ blocks that capture incoming requests on attacker-selected URL paths.

They then rewrite them to include the full original URL, and forward traffic via the ‘proxy_pass’ directive to attacker-controlled domains.

The abused directive is normally used for load balancing, allowing NGINX to reroute requests through alternative backend server groups to improve performance or reliability; hence, its abuse does not trigger any security alerts.

Request headers such as ‘Host,’ ‘X-Real-IP,’ ‘User-Agent,’ and ‘Referer’ are preserved to make the traffic appear legitimate.

The attack uses a scripted multi-stage toolkit to perform the NGINX configuration injections. The toolkit operates in five stages:

Stage 1 – zx.sh: Acts as the initial controller script, responsible for downloading and executing the remaining stages. It includes a fallback mechanism that sends raw HTTP requests over TCP if curl or wget are unavailable.

Acts as the initial controller script, responsible for downloading and executing the remaining stages. It includes a fallback mechanism that sends raw HTTP requests over TCP if curl or wget are unavailable. Stage 2 – bt.sh: Targets NGINX configuration files managed by the Baota panel. It dynamically selects injection templates based on the server_name value, safely overwrites the configuration, and reloads NGINX to avoid service downtime.

... continue reading

Related:
Exploiting signed bootloaders to circumvent UEFI Secure Boot
Exploiting signed bootloaders to circumvent UEFI Secure Boot (2019)
AI Bots Are Now a Signifigant Source of Web Traffic
AI Bots Are Now a Significant Source of Web Traffic
VMware Workstation Pro 25H2 expands hardware and OS support

© 2026 GoKawiil