Cookie-gated PHP web shells on Linux servers with cron-based self-healing persistence
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers detailed HTTP cookie-gated PHP web shells on Linux servers, showing how attackers can hide remote code execution inside normal traffic. The loaders stay dormant until specific cookie values arrive, and in some cases cron-based re-creation preserves access even after cleanup. That split between execution control and persistence makes the tradecraft harder to detect in routine web logs. It also gives defenders concrete indicators around cookies, scheduled tasks, and obfuscated PHP loaders.
Timeline
-
03.04.2026 18:32 2 articles · 1mo ago
Microsoft details cookie-gated PHP web shells on Linux servers
Technical Analysis UpdateMicrosoft Defender Security Research Team describes threat actors using HTTP cookies as a control channel for PHP-based web shells on Linux servers, with cookie values gating execution, passing instructions, and activating malicious functionality while blending into normal traffic. The analysis says one loader uses layered obfuscation and runtime checks before parsing structured cookie input, and another case shows initial access through valid credentials or a known security vulnerability followed by a cron job that repeatedly invokes an obfuscated PHP loader to preserve remote code execution. Microsoft recommends enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces, monitoring unusual login activity, restricting shell interpreter execution, auditing cron jobs and scheduled tasks, checking for suspicious file creation in web directories, and limiting hosting control panel shell capabilities.
Show sources
- Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32
- Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32