Cybersecurity researchers have uncovered a large-scale attack campaign where hackers are abusing NGINX web server configurations to secretly hijack real user traffic. Instead of breaking websites or installing visible malware, the attackers quietly change server settings. This allows them to control where website traffic goes without alerting site owners or users. Because NGINX is widely used, the impact of this campaign is considered serious.

NGINX server acting as a reverse proxy managing and redirecting web traffic across backend servers

In this attack, hackers do not rely on traditional malicious software. They directly modify NGINX configuration files, which normally control how traffic is routed on a website. By inserting specific proxy rules, the server is instructed to forward visitors through attacker-controlled servers. From the outside, the website continues to function normally, making the compromise difficult to notice.

The activity was first identified by security researchers from Datadog Security Labs. Their investigation revealed that the attackers were linked to earlier server-side exploits, including the React2Shell vulnerability. After gaining initial access, the attackers focused on changing configuration settings rather than deploying malware. This shift makes detection far more challenging for traditional security tools.

Diagram explaining forward proxy and reverse proxy architecture in NGINX web server traffic routing

A key reason this attack is dangerous is that it uses legitimate NGINX features. Functions such as traffic proxying and backend routing are standard tools used by administrators for performance and load balancing. The attackers simply abuse these trusted features for malicious purposes. As a result, antivirus software and file-based scanners often fail to detect the compromise.

To remain hidden, the attackers preserve normal traffic details such as IP addresses, browser information, and referral data. This makes redirected traffic appear genuine in logs and monitoring systems. Website owners may continue operating their services without realizing that user data is being intercepted or altered. In many cases, only deep configuration audits reveal the attack.

High-performance data center servers representing NGINX web server infrastructure and backend systems

Most of the affected systems were servers managed using popular web control panels, especially Baota (BT). The campaign has primarily targeted websites hosted in parts of Asia and regions using government, educational, and commercial domains. However, researchers warn that any poorly secured NGINX server could become a target, regardless of location.

Once traffic is hijacked, attackers can silently steal credentials, inject malicious content, or redirect users to phishing and scam pages. This can lead to financial fraud, data theft, and loss of user trust. Because the website itself appears normal, visitors are unlikely to suspect anything is wrong while being exploited.

Cybersecurity audit interface highlighting server configuration review and traffic monitoring in NGINX

Security experts stress that this campaign highlights a growing trend in cyberattacks: abusing trusted system configurations instead of malware. Administrators are advised to regularly review NGINX configuration files, monitor unexpected outbound traffic, restrict access to control panels, and apply security patches promptly. Treating configuration files as a critical security component is now essential.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news