NGINX servers hijacked in global campaign to redirect traffic

1. Pro
2. Security

NGINX servers hijacked in global campaign to redirect traffic News By Sead Fadilpašić published 5 February 2026

Redirected traffic can be abused in multiple ways, experts warn

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Getty Images)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• DataDog reports attackers hijacking NGINX configurations to reroute traffic through malicious infrastructure
• Campaign targets Asian government and education sectors, enabling theft of session tokens, cookies, and credentials
• Hijacked traffic used for phishing, malware injection, ad fraud, and proxying further attacks

Cybercriminals are targeting NGINX servers, rerouting legitimate traffic through their malicious infrastructure, experts have warned.

Security researchers at DataDog Security Labs found the attackers are focused primarily on Asian targets in the government and education industries.

NGINX servers are software systems that sit in front of websites or apps and handle incoming web traffic. They serve content, balance loads, and route requests to the appropriate backend servers.

You may like

• Hackers distribute thousands of phishing attacks through Mimecast's secure-link feature
• These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected
• Microsoft 365 users targeted by major new phishing operation - here's how to stay safe

What to do with the stolen data

In the attack, the unnamed threat actors modify the NGINX configuration files and inject malicious blocks that grab incoming requests. They then rewrite them to include the original URL and forward traffic to domains under their control. As per DataDog, this is a five-stage attack that starts with a configuration injection and ends with data exfiltration.

Since no vulnerability is being abused here, and the victims still end up on the pages they asked for, none is the wiser. Still, cybercriminals are getting away with valuable information that can be used in different ways.

Because headers are preserved, the attacker can collect IP addresses, user agents, referrers, session tokens, cookies, and sometimes credentials or API keys if they appear in requests. On government or .edu sites, that data is especially valuable.

They can also manipulate content, selectively. Since only certain URL paths are hijacked, the attacker can inject ads, phishing pages, malware downloads, or fake login prompts only when they want, successfully targeting specific users, regions, or time zones.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Then, there is the option of traffic monetization and resale. Clean, real user traffic routed through attacker infrastructure can be sold for ad fraud, SEO manipulation, click-fraud, or used to boost other malicious services, which is a common practice in large-scale proxy ecosystems.

Finally, compromised NGINX servers can be used to proxy attacks against other targets, effectively masking their origins.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Hackers distribute thousands of phishing attacks through Mimecast's secure-link feature    These malicious Google Chrome extensions have stolen data from over 170 sites - find out if you're affected    Microsoft 365 users targeted by major new phishing operation - here's how to stay safe    Hackers are going after top LLM services by cracking misconfigured proxies    This phishing campaign spoofs internal messages - here's what we know    Yet another phishing campaign impersonates trusted Google services - here's what we know    Latest in Security ExpressVPN unveils new standalone password manager – ExpressKeys is now available for iOS and Android    Personal data stolen during Harvard and UPenn data breaches leaked online - over a million details, including emails, home addresses and more, all published    Dangerous new malware exploits WinRAR flaw - here's what we know    More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected    Linux users report Microsoft's Visual Studio Code Snap package isn't actually deleting files    Microsoft warns infostealer malware is 'rapidly expanding beyond traditional Windows-focused campaigns' and targeting Mac devices    Latest in News Forget Seahawks vs Patriots: Wix vs Squarespace is the real showdown at Super Bowl 2026    Sony says Ghost of Yotei made a 'significant contribution' to the 8 million PS5 units that were sold in late 2025, a feat that surpassed the Nintendo Switch 2 by 1 million units    Steam Machine is delayed due to RAM crisis — and price is to be 'revisited'    Marvel fans have their say on two new rumors about Avengers: Secret Wars    Another European government agency is preparing to ditch Microsoft if needed    Spotify competes with Amazon with new partnership that allows you to buy physical books    LATEST ARTICLES

1. 1NGINX servers hijacked in global campaign to redirect traffic
2. 2Forget Seahawks vs Patriots: Wix vs Squarespace is the real showdown at Super Bowl 2026
3. 3Quordle hints and answers for Friday, February 6 (game #1474)
4. 4NYT Strands hints and answers for Friday, February 6 (game #705)
5. 5NYT Connections hints and answers for Friday, February 6 (game #971)