NGINX Servers Under Siege: New Redirection Campaign Exploits Baota Control Panels

Listen to this Post

Featured Image
A new wave of cyberattacks is quietly compromising NGINX web servers, redirecting users to malicious destinations while leaving legitimate websites seemingly untouched. According to Datadog Security Labs, this campaign mainly targets servers managed via the Baota (BT) control panel—a popular web hosting management tool in Asia. The attacks appear linked to the earlier React2Shell remote-code-execution campaign, using sophisticated methods to modify NGINX configuration files and hijack web traffic undetected. This stealthy approach puts a wide array of online services, from e-commerce platforms to VPN providers, at risk.

How the Attack Works

NGINX relies on configuration files to direct incoming web requests. Threat actors are exploiting this by injecting rogue proxy_pass rules inside location blocks. When users visit an infected site, their requests are silently redirected to attacker-controlled servers. Visitors are exposed to phishing pages, gambling sites, or other scams while the original website continues functioning normally, allowing attackers to remain hidden.

Datadog’s investigation revealed a sophisticated five-stage infection chain, orchestrated via modular shell scripts:

Stage 1 – The Orchestrator (zx.sh): Acts as the initial entry point post-breach, downloading additional payloads and establishing communication channels, even bypassing blocked utilities like curl or wget.

Stage 2 – Baota Panel Injection (bt.sh): Targets Baota-managed NGINX servers, scanning configuration paths and injecting malicious rules tailored to each domain. It performs stealth checks and triggers soft reloads to avoid detection.

Stage 3 – Advanced Injection (4zdh.sh): Expands the attack to general Linux NGINX environments under /etc/nginx/sites-enabled, validating syntax before restarting NGINX to prevent service disruption.

Stage 4 – Linux-Targeted Injection (zdh.sh): An aggressive variant designed for containerized setups and regional domains like .in or .id, forcibly restarting NGINX if standard reloads fail.

Stage 5 – Reporting (ok.sh): Collects information on compromised domains and reports back to the attacker’s command-and-control server, completing the infection feedback loop.

The campaign poses significant threats not only by redirecting traffic but also by enabling ad injection, credential theft, and browsing data collection.

Administrators are strongly advised to audit NGINX configurations regularly, especially checking for unexpected proxy_pass directives. Additional protective measures include implementing strict file integrity monitoring, limiting access to administrative panels, and keeping Baota and NGINX installations fully patched.

What Undercode Say:

This attack highlights a worrying trend in web infrastructure exploitation, where even routine management tools like Baota can become the vector for sophisticated cyber operations. The modular design of this infection chain demonstrates a high level of attacker sophistication—each script handles a precise stage of the takeover, ensuring persistence and minimal disruption to the compromised servers.

The attackers’ strategy of stealthy configuration injection is particularly insidious. By targeting location blocks and validating syntax before reloads, they reduce the risk of detection, allowing campaigns to operate for extended periods. Moreover, their reporting mechanism ensures attackers maintain situational awareness of infected hosts, enabling continuous optimization of attack strategies.

The regional focus on domains like .in and .id suggests either geo-targeting for higher success rates or a focus on under-secured hosting ecosystems. Combined with the lingering threat to critical services such as e-commerce, VPN, and remote-access systems, the campaign exposes systemic vulnerabilities in server administration and patch management.

From a defensive perspective, the attack reinforces the importance of proactive monitoring. File integrity monitoring, strict change management, and minimizing unnecessary administrative exposure are no longer optional—they are essential. Network defenders should also consider anomaly detection for outbound traffic to identify potential redirections in real time.

The Baota panel, despite its convenience, now emerges as a critical attack surface. This could trigger shifts in hosting preferences and force vendors to adopt more resilient architecture practices. Administrators ignoring these threats risk not just service disruption but also reputational damage and legal liability from compromised customer data.

Additionally, the campaign underlines the evolving cybercrime business model: attackers increasingly monetize indirect exploits like ad injections and data harvesting, moving beyond overt ransomware attacks. This blurs the line between traditional cybercrime and stealthy espionage, necessitating a holistic approach to server security that combines behavioral monitoring with conventional patching.

Long-term, NGINX and other open-source server technologies may need enhanced auditing tools capable of detecting subtle configuration anomalies automatically. Failure to adapt could make similar campaigns the norm rather than the exception.

Fact Checker Results:

✅ The attack leverages NGINX configuration files to redirect traffic—accurate per Datadog findings.
✅ Baota (BT) control panel is confirmed as a primary target—widely used in Asia.
❌ No evidence suggests this attack has caused widespread public service outages; it is stealth-focused.

Prediction:

Cybercriminals will likely expand this method to other popular web server panels and CMS platforms, aiming for global reach. 🌐 Stealthy traffic redirection may become a standard tactic for phishing campaigns, while modular infection scripts will continue evolving, emphasizing persistence and minimal footprint. 🔒 Security-conscious administrators who adopt proactive auditing and integrity monitoring will gain a measurable advantage over those relying solely on patching. ✅

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon