A threat actor is compromising NGINX servers by injecting malicious βlocationβ blocks that rewrite requests and forward traffic via proxy_pass to attacker-controlled backends, hijacking user traffic without disrupting service. Discovered by DataDog, the multi-stage toolkit targets Baota-managed hosts and sites on several Asian TLDs and gov/edu domains, preserves headers and full URLs to appear legitimate, and exfiltrates mapping data to a C2 at 158.94.210[.]227. #NGINX #Baota
Keypoints
- Attackers inject malicious NGINX βlocationβ blocks that capture specified URL paths and forward requests via proxy_pass to attacker-controlled domains.
- The campaign targets Baota-managed NGINX installations and sites on Asian TLDs (.in, .id, .pe, .bd, .th) as well as .gov and .edu domains.
- A scripted five-stage toolkit (zx.sh, bt.sh, 4zdh.sh, zdh.sh, ok.sh) handles download/execution, template selection, safe configuration injection, enumeration, and data collection.
- Request headers (Host, X-Real-IP, User-Agent, Referer) and the full original URL are preserved so redirected traffic appears legitimate and avoids simple detection.
- Because the attack modifies configuration rather than exploiting an NGINX vulnerability and user traffic still reaches intended destinations, detection is difficult; mapping data is exfiltrated to C2 158.94.210[.]227.