This threat involves an active campaign exploiting the React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to inject malicious configurations into NGINX web servers and Baota (BT) management panels. Attackers use a multi-stage shell script toolkit to gain persistence and redirect legitimate web traffic through attacker-controlled backend servers via the NGINX "proxy_pass" directive. The toolkit includes zx.sh (orchestrator), bt.sh (targets Baota panel), 4zdh.sh (enumerates NGINX config locations), zdh.sh (targets Linux/containerized NGINX and specific TLDs), and ok.sh (generates reports on hijacking rules). The campaign primarily targets Asian TLDs (.in, .id, .pe, .bd, .th), Chinese hosting infrastructure, and government/educational TLDs (.edu, .gov), enabling attackers to intercept and manipulate web traffic. Observed post-exploitation payloads include cryptomining binaries and reverse shells, indicating both automated resource extraction and interactive access attempts. The campaign is linked to a broader reconnaissance effort targeting Citrix ADC and Netscaler gateways using residential proxies and cloud IPs to discover vulnerable login panels. The attack leverages legitimate utilities (curl, wget) or raw TCP connections for payload delivery, complicating detection. Despite no direct CVSS for the NGINX config injection, the underlying React2Shell vulnerability is critical, and the combined exploitation allows significant compromise of web infrastructure.

For European organizations, this threat poses substantial risks to confidentiality and integrity by enabling attackers to intercept, manipulate, or redirect web traffic. Organizations running NGINX servers, especially those using Baota panels or hosting government and educational domains, could experience data leakage, session hijacking, or unauthorized access. The redirection of traffic through attacker-controlled servers may facilitate credential theft, malware distribution, or espionage. The presence of cryptomining payloads also indicates potential resource abuse, leading to degraded system performance and increased operational costs. The campaign's targeting of specific TLDs and hosting infrastructures suggests potential spillover into European entities with business or academic ties to Asia or those using similar infrastructure. Additionally, the use of reverse shells implies attackers may gain persistent interactive access, enabling lateral movement and further compromise within networks. The threat complicates incident response due to the use of legitimate tools and configuration files, increasing the risk of prolonged undetected presence.

European organizations should conduct immediate audits of all NGINX configurations, focusing on unauthorized or suspicious 'proxy_pass' directives and unusual location blocks. Patch all systems to remediate the React2Shell vulnerability (CVE-2025-55182) promptly. Restrict access to management panels like Baota (BT) through network segmentation, strong authentication, and IP whitelisting. Implement file integrity monitoring on NGINX configuration directories to detect unauthorized changes. Employ enhanced logging and monitoring to identify anomalous traffic redirection or unexpected outbound connections from web servers. Use endpoint detection and response (EDR) tools to detect and block execution of suspicious shell scripts and post-exploitation payloads. Limit the use of curl, wget, and similar utilities on production servers or monitor their usage closely. Establish incident response playbooks specific to web traffic hijacking and conduct regular penetration testing to identify configuration weaknesses. Collaborate with threat intelligence providers to stay updated on indicators of compromise related to this campaign.