Recent findings by cybersecurity experts have unveiled a significant web traffic hijacking campaign exploiting NGINX installations and management interfaces like Baota. The campaign aims to reroute web traffic through servers controlled by the attackers, posing a substantial threat to internet security.
React2Shell Exploitation
Datadog Security Labs identified that the perpetrators of this campaign are leveraging the React2Shell (CVE-2025-55182) vulnerability with a critical CVSS score of 10.0. The attackers utilize malicious NGINX configurations to intercept legitimate web requests, diverting them through their own backend systems.
Security researcher Ryan Simon highlighted that the campaign targets specific top-level domains (TLDs) such as .in, .id, .pe, .bd, and .th, alongside Chinese hosting services like the Baota Panel, as well as government and educational domains (.edu, .gov).
Malicious NGINX Configurations
The attackers employ shell scripts to embed harmful configurations within NGINX, an open-source tool used for web traffic management. These configurations manipulate incoming requests on designated URL paths, redirecting them to attacker-operated domains using the “proxy_pass” command.
The toolkit includes several scripts designed to maintain persistence and generate malicious NGINX configurations. Key components include zx.sh, bt.sh, 4zdh.sh, zdh.sh, and ok.sh, each with specific functions ranging from orchestrating attacks to modifying NGINX settings and reporting active hijacking rules.
Emerging Threats and Analysis
GreyNoise’s analysis revealed two dominant IP addresses—193.142.147[.]209 and 87.121.84[.]24—responsible for over half of the exploitation attempts following the public disclosure of React2Shell. Between January 26 and February 2, 2026, 1,083 unique IP addresses were implicated in these attacks.
These sources deploy varied post-exploitation tactics, including cryptomining binary retrieval and direct reverse shell access, indicating a preference for interactive engagement over automated processes. Moreover, the campaign coincides with a broader reconnaissance effort against Citrix ADC Gateway and Netscaler Gateway infrastructures, employing extensive residential proxies and a Microsoft Azure IP address for login panel discovery.
The operation features two distinct phases: a widespread proxy-based login discovery and an AWS-hosted version enumeration sprint, suggesting a coordinated reconnaissance strategy.
This revelation underscores the critical need for robust security measures to safeguard web servers and prevent unauthorized access, emphasizing the importance of staying updated on emerging threats and vulnerabilities.
