{"id":230777,"date":"2026-04-03T11:32:00","date_gmt":"2026-04-03T15:32:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/03\/microsoft-details-cookie-controlled-php-web-shells-persisting-via-cron-on-linux-servers\/"},"modified":"2026-04-03T12:15:14","modified_gmt":"2026-04-03T16:15:14","slug":"microsoft-details-cookie-controlled-php-web-shells-persisting-via-cron-on-linux-servers","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/03\/microsoft-details-cookie-controlled-php-web-shells-persisting-via-cron-on-linux-servers\/","title":{"rendered":"Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/microsoft-details-cookie-controlled-php.html\">Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/microsoft-details-cookie-controlled-php.html\">https:\/\/thehackernews.com\/2026\/04\/microsoft-details-cookie-controlled-php.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-03 11:32:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Apr 03, 2026<\/span><\/span><span class=\"p-tags\">Linux \/ Server Hardening<\/span><\/p>\n<p>Threat\u00a0actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research\u00a0Team.<\/p>\n<p>&#8220;Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality,&#8221; the tech\u00a0giant said.<\/p>\n<p>The\u00a0approach offers added stealth as it allows malicious code to stay dormant during normal application execution and activate the web shell logic only when specific cookie values are present. This\u00a0behavior, Microsoft noted, extends to web requests, scheduled tasks, and trusted background\u00a0workers.<\/p>\n<p>The\u00a0malicious activity takes advantage of the fact that cookie values are available at runtime through\u00a0the $_COOKIE superglobal variable, allowing attacker-supplied inputs to be consumed without additional parsing. What&#8217;s more, the technique is unlikely to raise any red flags as cookies blend into normal web traffic and reduce visibility.<\/p>\n<p>The\u00a0cookie-controlled execution model comes in different implementations\u00a0&#8211;<\/p>\n<ul>\n<li>A PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute an encoded secondary payload.<\/li>\n<li>A PHP script that segments structured cookie data to reconstruct operational components such as file handling and decoding functions, and conditionally writes a secondary payload to disk and executes it.<\/li>\n<li>A PHP script that uses a single cookie value as a marker to trigger threat actor-controlled actions, including execution of supplied input and file upload.<\/li>\n<\/ul>\n<p>In\u00a0at least one case, threat actors have been found to obtain initial access to a victim&#8217;s hosted Linux environment through valid credentials or the exploitation of a known security vulnerability to set up a cron job that invokes&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/microsoft-details-cookie-controlled-php.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers https:\/\/thehackernews.com\/2026\/04\/microsoft-details-cookie-controlled-php.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":230778,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg_2zEf8l08MTElI1sGlJPVVWtscud2RAXdsivOvcby3pO4NUWMBioT3FNaFL7Bw0GeEqnX_WqY10FVqXhVNBTOrl0UMPoyun7AvshwpvfJIdfdJ0yJ1V2mz7ZHQDE9motXuuW6urvTJYu0kLGvpZf10Qx1hNeobD4YV25tJY9nvNoW9Sqd8nSsWK7NWQP0\/s1600\/php-linux.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,57,34,27],"class_list":["post-230777","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-security","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230777"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=230777"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230777\/revisions"}],"predecessor-version":[{"id":230779,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230777\/revisions\/230779"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/230778"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=230777"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=230777"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=230777"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}