A new campaign identified by Datadog Security Research hijacks NGINX servers to silently redirect user traffic, compromising NGINX installations and Baota (BT) management panels by injecting malicious configurations.
According to Datadog Security Research, the attackers route legitimate requests to attacker‑controlled backend servers, creating a shadow proxy system that targets users visiting paths linked to gambling terms such as “pgslot” or “live,” and use dynamic templates based on the victim’s TLD, with a focus on Asian domains like .in, .id and .th and on educational and government sectors.
The attack uses a multi‑stage script chain—zx[.]sh as an orchestrator, bt[.]sh to enumerate configuration paths and inject the redirect logic, 4zdh[.]sh to validate the configuration with nginx -t, and ok[.]sh to map infections and exfiltrate data to a C2 server at 158.94.210[.]227. The campaign is described as invisible, manipulating proxy_pass and location directives to cause traffic to bypass standard routes without altering visible website content.
It highlights the need for NGINX administrators to monitor for unexpected location blocks or proxy directives pointing to unknown domains as clear indicators of compromise, with the incident underscoring the risk of silent traffic hijacking. The Datadog analysis presents a precise, staged approach that can exfiltrate data while remaining undetected, making vigilant configuration management essential for mitigating such compromises. 6 February 2026