THREAT actors are increasingly abusing HTTP cookies as a control channel for PHP-based webshells on Linux servers, using attacker-supplied cookie values to gate execution, pass instructions and activate malicious functionality, according to Microsoft Defender Security Research Team.
The technique allows the webshell to stay dormant during normal app activity and operate only when specific cookie conditions are met, a pattern observed across web requests, scheduled tasks and trusted background workers, with a goal of durable, post-compromise access that evades many traditional inspections.
Microsoft identifies several observed variants, including a loader with an execution gate and layered obfuscation, a direct cookie-driven payload stager, and a cookie-gated interactive webshell, all designed to separate deployment, concealment and activation and to persist via cron-based tasks. In shared hosting, attackers can leverage cron and control-panel workflows (for example via jailshell) to re-create loaders and maintain persistence, sometimes reissuing execution through a “self-healing” cron mechanism.
The campaign aligns with MITRE ATT&CK techniques such as Initial Access (T1190), Server Software Component web shells (T1505.003), and Command and Scripting Interpreter: Unix Shell (T1059.004), among others, highlighting the need to monitor cron activity, restrict shell access, and inspect suspicious file creation in web directories. 2 April 2026