NGINX traffic hijacking campaign targeting Asian and government domains
Campaign
Summary
Hide ▲
Show ▼
A threat actor is running an active traffic-hijacking campaign against NGINX servers, rerouting user requests through attacker infrastructure and increasing the risk of stealthy interception. The operation targets sites on .in, .id, .pe, .bd, and .th domains as well as .edu and .gov properties.
Related Happenings
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
Vulnerability
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
About this happening:
**CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
VulnerabilityAbout this happening: **CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
Active web traffic hijacking campaign targeting NGINX and Baota panels
Campaign
First: 05.02.2026 06:56
Last: 05.02.2026 06:56
Sources 1
About this happening:
An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...
Active web traffic hijacking campaign targeting NGINX and Baota panels
CampaignAbout this happening: An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...
NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware Activity
First: 05.02.2026 01:26
Last: 05.02.2026 01:26
Sources 1
How related:
The attack uses a scripted multi-stage toolkit to perform the NGINX configuration injections.
About this happening:
A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...
NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware ActivityHow related: The attack uses a scripted multi-stage toolkit to perform the NGINX configuration injections.
About this happening: A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...
Timeline
-
05.02.2026 01:26 2 articles · 3mo ago
NGINX traffic hijacking campaign disclosed
Initial DisclosureResearchers at DataDog Security Labs describe an active campaign against NGINX installations and Baota hosting management panels where attackers inject malicious `location` blocks, rewrite requests with `proxy_pass`, preserve common headers, and exfiltrate a map of hijacked domains and proxy targets to 158.94.210[.]227.
Show sources
- Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26
- Hackers compromise NGINX servers to redirect user traffic — www.bleepingcomputer.com — 05.02.2026 01:26