Hackers compromise NGINX servers to redirect user traffic

A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure. The malicious campaign targets NGINX installations and Baota hosting management panels used by sites with Asian top-level domains and government and educational sites. Attackers modify existing NGINX configuration files to capture incoming requests and forward traffic to attacker-controlled domains.