Active web traffic hijacking campaign targeting NGINX and Baota panels
Campaign
Summary
Hide ▲
Show ▼
An active web traffic hijacking campaign is targeting NGINX installations and Baota (BT) management panels, putting legitimate site traffic at risk of redirection through attacker infrastructure. The operation injects malicious configuration files that capture selected URL paths and forward requests with proxy_pass. It has been observed alongside React2Shell (CVE-2025-55182) exploitation and uses shell-script tooling to persist on exposed servers. The targeting spans Asian TLDs and government and educational domains, making the intrusion scope broad rather than isolated.
Related Happenings
NGINX web server critical flaws (multiple vulnerabilities)
Vulnerability
H score38
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
NGINX web server critical flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationAbout this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
Vulnerability
H score54
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
VulnerabilityAbout this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
Latest development: 09.03.2026 23:45
Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.
NGINX traffic hijacking campaign targeting Asian and government domains
Campaign
H score30
First: 05.02.2026 01:26
Last: 05.02.2026 01:26
Sources 1
About this happening:
A **threat actor** is running an active **traffic-hijacking campaign** against **NGINX servers**, rerouting user requests through attacker infrastructure and increasing the risk o...
NGINX traffic hijacking campaign targeting Asian and government domains
CampaignAbout this happening: A **threat actor** is running an active **traffic-hijacking campaign** against **NGINX servers**, rerouting user requests through attacker infrastructure and increasing the risk o...
NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware Activity
H score16
First: 05.02.2026 01:26
Last: 05.02.2026 01:26
Sources 1
About this happening:
A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...
NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware ActivityAbout this happening: A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...
Timeline
-
05.02.2026 06:56 2 articles · 5mo ago
Initial report: Active web traffic hijacking campaign targeting NGINX and Baota panels
Initial DisclosureInitial access appears to come from **React2Shell (CVE-2025-55182)** exploitation, after which shell scripts deploy malicious NGINX configuration files to establish traffic redirection. The earliest stage focuses on persistence and on changing reverse-proxy behavior before user requests are forwarded onward.
Show sources
- Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56
- Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers — thehackernews.com — 05.02.2026 06:56