Close Menu
    What's Hot

    China’s Chip Champion to Raise Billions in Race for A.I. Control

    Wall Street banks are AI stocks now

    The great AI layoff is turning into the great AI rehire

    Facebook X (Twitter) Instagram
    Trending
    • China’s Chip Champion to Raise Billions in Race for A.I. Control
    • Wall Street banks are AI stocks now
    • The great AI layoff is turning into the great AI rehire
    • Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines
    • How the failed 2016 coup reshaped Turkiye’s civil-military relations | Turkey Attempted Coup News
    • Wayfair Coupons: Up to 80% Off July 2026
    • Today on Sky Sports Racing: Bath, Lingfield, Yarmouth and Uttoxeter | Racing News
    • OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

    adminBy adminApril 3, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananApr 03, 2026Linux / Server Hardening

    Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

    Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team.

    “Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality,” the tech giant said.

    The approach offers added stealth as it allows malicious code to stay dormant during normal application execution and activate the web shell logic only when specific cookie values are present. This behavior, Microsoft noted, extends to web requests, scheduled tasks, and trusted background workers.

    The malicious activity takes advantage of the fact that cookie values are available at runtime through the $_COOKIE superglobal variable, allowing attacker-supplied inputs to be consumed without additional parsing. What’s more, the technique is unlikely to raise any red flags as cookies blend into normal web traffic and reduce visibility.

    Cybersecurity

    The cookie-controlled execution model comes in different implementations –

    • A PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute an encoded secondary payload.
    • A PHP script that segments structured cookie data to reconstruct operational components such as file handling and decoding functions, and conditionally writes a secondary payload to disk and executes it.
    • A PHP script that uses a single cookie value as a marker to trigger threat actor-controlled actions, including execution of supplied input and file upload.

    In at least one case, threat actors have been found to obtain initial access to a victim’s hosted Linux environment through valid credentials or the exploitation of a known security vulnerability to set up a cron job that invokes a shell routine periodically to execute an obfuscated PHP loader.

    This “self-healing” architecture allows the PHP loader to be repeatedly recreated by the scheduled task even if it was removed as part of cleanup and remediation efforts, thereby creating a reliable and persistent remote code execution channel. Once the PHP loader is deployed, it remains inactive during normal traffic and springs into action upon receiving HTTP requests with specific cookie values. 

    “By shifting execution control into cookies, the web shell can remain hidden in normal traffic, activating only during deliberate interactions,” Microsoft added. “By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs.”

    A common aspect that ties together all the aforementioned implementations is the use of obfuscation to conceal sensitive functionality and cookie-based gating to initiate the malicious action, while leaving a minimal interactive footprint.

    Cybersecurity

    To counter the threat, Microsoft recommends enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces; monitoring for unusual login activity; restricting the execution of shell interpreters; auditing cron jobs and scheduled tasks across web servers; checking for suspicious file creation in web directories; and limiting hosting control panels’ shell capabilities.

    “The consistent use of cookies as a control mechanism suggests reuse of established web shell tradecraft,” Microsoft said. “By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls.”

    “Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code.”

    CookieControlled Cron Details Linux Microsoft Persisting PHP servers Shells web
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleEaster traffic builds ahead of bumper long weekend
    Next Article Lenovo Legion Go 2 suddenly costs $650 more as RAMageddon lays waste to gaming hardware
    admin
    • Website

    Related Posts

    OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

    July 15, 2026

    How Pentera Turns AI Security Workflows into Validation Engines

    July 15, 2026

    Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    China’s Chip Champion to Raise Billions in Race for A.I. Control

    Wall Street banks are AI stocks now

    The great AI layoff is turning into the great AI rehire

    Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by