Badnginx2s
Badnginx2s is a malicious Nginx module identified as a component of the RingH23 server-side compromise framework attributed in the reporting to the Funnull cybercriminal group, also known as Fangneng CDN. It is deployed on compromised CDN infrastructure, including GoEdge environments, as part of a broader modular toolkit that also includes SSH-based propagation, a WebSocket backdoor, udev-based persistence, and an LD_PRELOAD userland rootkit. The module’s documented functions are traffic hijacking, malicious JavaScript injection into outbound web traffic, cryptocurrency wallet replacement, and media manipulation. Specifically, the reporting states that Badnginx2s intercepts outbound traffic to inject malicious JavaScript, silently replaces Ethereum and TRON wallet addresses with attacker-controlled addresses, and inserts 5-second video segments into HLS playlists. The broader campaign is described as targeting large numbers of streaming and movie-related websites and exposing users to malicious JavaScript redirects at scale. High-confidence related artifacts mentioned in the content include the filename module.so, which is explicitly identified as Badnginx2s. The malware is associated in the reporting with Funnull’s 2025 RingH23 activity affecting compromised CDN nodes and poisoned web infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Alongside it, the Badnginx2s Nginx module intercepts outbound traffic to inject malicious JavaScript, silently replace Ethereum and TRON wallet addresses..."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
"Funnull pursued two separate infection routes. In the first, attackers compromised a GoEdge CDN management node... forcing all connected edge nodes to download and execute the RingH23 toolkit. In the second path, the group poisoned the official update channel of maccms.la... to deliver a malicious PHP backdoor."
Execution
1 technique
Execution
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Nginx module that intercepts outbound traffic to inject malicious JavaScript for redirects, replaces Ethereum/TRON wallet addresses with attacker-controlled ones, and manipulates HLS playlists by inserting short video segments.
Malicious Nginx filtering module that tampers with HTTP responses to inject malicious JavaScript, hijack downloads (APK/PLIST/MOBILECONFIG), replace crypto wallet addresses (e.g., ETH/TRON), insert segments into HLS M3U8 playlists, and provides a covert signed Cookie-based command/config channel (XOR+Base64 with P-256 signature verification).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.