NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware Activity
Summary
Hide ▲
Show ▼
A scripted multi-stage toolkit is automating NGINX configuration injection, service reloads, and C2 exfiltration to hijack traffic on compromised hosts. The toolkit’s stages use scripts such as zx.sh, bt.sh, 4zdh.sh, zdh.sh, and ok.sh to modify configuration files, preserve legitimate-looking headers, and map hijacked domains. It targets NGINX installations and Baota hosting panels, with emphasis on sites using .in and .id domains as well as .edu and .gov sites. The activity matters because it hides malicious routing inside normal NGINX behavior, making the traffic diversion difficult to spot without specific monitoring.
Related Happenings
NGINX web server critical flaws (multiple vulnerabilities)
Vulnerability
H score38
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
NGINX web server critical flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch Release
H score34
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: **F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationAbout this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
Vulnerability
H score28
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
About this happening:
**CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
VulnerabilityAbout this happening: **CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
Active web traffic hijacking campaign targeting NGINX and Baota panels
Campaign
H score34
First: 05.02.2026 06:56
Last: 05.02.2026 06:56
Sources 1
About this happening:
An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...
Active web traffic hijacking campaign targeting NGINX and Baota panels
CampaignAbout this happening: An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...
Timeline
-
05.02.2026 01:26 2 articles · 5mo ago
DataDog Security Labs discloses NGINX traffic-hijack toolkit
Initial DisclosureOn 2026-02-04, DataDog Security Labs disclosed a campaign compromising NGINX servers and Baota hosting management panels to hijack user traffic by injecting malicious NGINX location blocks and proxying requests through attacker-controlled backend infrastructure. The staged toolkit uses zx.sh, bt.sh, 4zdh.sh, zdh.sh, and ok.sh to modify configuration files, validate and reload NGINX, preserve normal request headers, and exfiltrate hijack mappings to 158.94.210[.]227, with targeting focused on .in, .id, .pe, .bd, .th, .edu, and .gov sites.
Show sources
- Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26
- Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26