Find notable cyber news and cases, enriched with sources, timelines, and signals.

NGINX hijack toolkit that injects configs and exfiltrates mapping data

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A scripted multi-stage toolkit is automating NGINX configuration injection, service reloads, and C2 exfiltration to hijack traffic on compromised hosts. The toolkit’s stages use scripts such as zx.sh, bt.sh, 4zdh.sh, zdh.sh, and ok.sh to modify configuration files, preserve legitimate-looking headers, and map hijacked domains. It targets NGINX installations and Baota hosting panels, with emphasis on sites using .in and .id domains as well as .edu and .gov sites. The activity matters because it hides malicious routing inside normal NGINX behavior, making the traffic diversion difficult to spot without specific monitoring.

Related Happenings

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
H score38 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...

F5 NGINX out-of-band security updates (multiple vulnerabilities)

Security Patch Release
H score34 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)

Vulnerability
H score28 First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: **CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...

Active web traffic hijacking campaign targeting NGINX and Baota panels

Campaign
H score34 First: 05.02.2026 06:56 Last: 05.02.2026 06:56 Sources 1

About this happening: An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...

Timeline

  1. 05.02.2026 01:26 2 articles · 5mo ago

    DataDog Security Labs discloses NGINX traffic-hijack toolkit

    Initial Disclosure

    On 2026-02-04, DataDog Security Labs disclosed a campaign compromising NGINX servers and Baota hosting management panels to hijack user traffic by injecting malicious NGINX location blocks and proxying requests through attacker-controlled backend infrastructure. The staged toolkit uses zx.sh, bt.sh, 4zdh.sh, zdh.sh, and ok.sh to modify configuration files, validate and reload NGINX, preserve normal request headers, and exfiltrate hijack mappings to 158.94.210[.]227, with targeting focused on .in, .id, .pe, .bd, .th, .edu, and .gov sites.

    Show sources