Cybersecurity researchers have disclosed particulars of an energetic net site visitors hijacking marketing campaign that has focused NGINX installations and administration panels like Baota (BT) in an try to route it via the attacker’s infrastructure.
Datadog Safety Labs stated it noticed menace actors related to the current React2Shell (CVE-2025-55182, CVSS rating: 10.0) exploitation utilizing malicious NGINX configurations to tug off the assault.
“The malicious configuration intercepts authentic net site visitors between customers and web sites and routes it via attacker-controlled backend servers,” security researcher Ryan Simon stated. “The marketing campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese language internet hosting infrastructure (Baota Panel), and authorities and academic TLDs (.edu, .gov).”
The exercise includes using shell scripts to inject malicious configurations into NGINX, an open-source reverse proxy and cargo balancer for net site visitors administration. These “location” configurations are designed to seize incoming requests on sure predefined URL paths and redirect them to domains underneath the attackers’ management by way of the “proxy_pass” directive.
The scripts are a part of a multi-stage toolkit that facilitates persistence and the creation of malicious configuration information incorporating the malicious directives to redirect net site visitors. The elements of the toolkit are listed beneath –
- zx.sh, which acts because the orchestrator to execute subsequent levels via authentic utilities like curl or wget. Within the occasion that the 2 applications are blocked, it creates a uncooked TCP connection to ship an HTTP request
- bt.sh, which targets the Baota (BT) Administration Panel atmosphere to overwrite NGINX configuration information
- 4zdh.sh, which enumerates frequent Nginx configuration places and takes steps to reduce errors when creating the brand new configuration
- zdh.sh, which adopts a narrower concentrating on strategy by focusing primarily on Linux or containerized NGINX configurations and concentrating on top-level domains (TLDs) reminiscent of .in and .id
- okay.sh, which is liable for producing a report detailing all energetic NGINX site visitors hijacking guidelines
“The toolkit comprises goal discovery and a number of other scripts designed for persistence and the creation of malicious configuration information containing directives meant to redirect net site visitors.
The disclosure comes as GreyNoise stated two IP addresses – 193.142.147[.]209 and 87.121.84[.]24 – account for 56% of all noticed exploitation makes an attempt two months after React2Shell was publicly disclosed. A complete of 1,083 distinctive supply IP addresses have been concerned in React2Shell exploitation between January 26 and February 2, 2026.
“The dominant sources deploy distinct post-exploitation payloads: one retrieves cryptomining binaries from staging servers, whereas the opposite opens reverse shells on to the scanner IP,” the menace intelligence agency stated. “This strategy suggests curiosity in interactive entry relatively than automated useful resource extraction.”
It additionally follows the invention of a coordinated reconnaissance marketing campaign concentrating on Citrix ADC Gateway and Netscaler Gateway infrastructure utilizing tens of 1000’s of residential proxies and a single Microsoft Azure IP deal with (“52.139.3[.]76”) to find login panels.
“The marketing campaign ran two distinct modes: a large distributed login panel discovery operation utilizing residential proxy rotation, and a concentrated AWS-hosted model disclosure dash,” GreyNoise famous. “That they had complementary targets of each discovering login panels, and enumerating variations, which suggests coordinated reconnaissance.”
