PHP Web Shells Leveraging Cookie-Based Control Channels for Persistent RCE on Linux Servers

Timeline

1. 03.04.2026 18:32 1 articles · 4h ago

   Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

   Threat actors deploy PHP-based web shells on Linux servers that use HTTP cookies to gate command execution and maintain persistent RCE. Shells remain dormant under normal traffic and activate only when specific cookies are present, leveraging the $_COOKIE superglobal variable to parse attacker-controlled inputs without additional parsing. Persistence is maintained via cron jobs that reinstall the shell if removed, creating a self-healing RCE channel that evades detection in logs and web traffic inspection.

   Show sources

   • Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32

   Open in new tab

Information Snippets

• Malicious PHP web shells use HTTP cookies to gate execution, where threat actor-supplied cookie values trigger command parsing and remote code execution instead of URL parameters or request bodies.

  First reported: 03.04.2026 18:32
  1 source, 1 article
  Show sources

  • Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32

• The technique leverages the PHP $_COOKIE superglobal variable, allowing attacker-controlled inputs to be consumed directly without additional parsing or triggering suspicion in normal web traffic.

  First reported: 03.04.2026 18:32
  1 source, 1 article
  Show sources

  • Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32

• Three distinct PHP-based implementations have been observed: multi-layer obfuscated loaders parsing structured cookie input; segmented cookie data reconstructing file operations and decoding functions; and single-cookie markers triggering execution of supplied input or file uploads.

  First reported: 03.04.2026 18:32
  1 source, 1 article
  Show sources

  • Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32

• Initial access to deploy these shells is commonly achieved via valid credentials or exploitation of known vulnerabilities, followed by installation of a cron job that periodically reinvokes an obfuscated PHP loader to maintain persistence.

  First reported: 03.04.2026 18:32
  1 source, 1 article
  Show sources

  • Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32

• The self-healing architecture ensures the PHP loader is recreated by scheduled tasks even after removal, creating a reliable and persistent RCE channel that remains inactive under normal traffic.

  First reported: 03.04.2026 18:32
  1 source, 1 article
  Show sources

  • Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32

• Microsoft recommends enforcing multi-factor authentication for hosting control panels and SSH, monitoring for unusual login activity, restricting shell interpreter execution, auditing cron jobs, and checking for suspicious file creation in web directories to mitigate this threat.

  First reported: 03.04.2026 18:32
  1 source, 1 article
  Show sources

  • Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers — thehackernews.com — 03.04.2026 18:32