Web Traffic Hijacking: When Your Nginx Configuration Turns Malicious

Datadog Security Research details an active campaign that injects malicious NGINX configuration using automated shell scripts to intercept and proxy legitimate web traffic through attacker-controlled backends; targets include Baota (BT) panel installations and specific TLDs (.in, .id, .pe, .bd, .th, .edu, .gov), with IOCs such as xzz.pier46.com, ide.hashbank8.com, th.cogicpt.org and C2 IP 158.94.210.227, plus recommended detection rules and observable behaviors.