ACCORDING to Microsoft Defender Security Research Team, threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers to achieve remote code execution. The researchers note that instead of exposing commands via URL parameters, these web shells gate execution, pass instructions, and activate malicious functionality through threat actor-supplied cookie values, a method they say offers added stealth since cookies blend into normal web traffic.
The cookie-controlled execution model unfolds across web requests, scheduled tasks, and trusted background workers, with the malware remaining dormant until specific cookie values are seen. In one depicted scenario, initial access to a victim’s hosted Linux environment was obtained via valid credentials or via exploitation of a known vulnerability to set up a cron job that periodically invokes a shell routine to run an obfuscated PHP loader, enabling a persistent remote code execution channel.
The self-healing approach allows the PHP loader to be recreated by the scheduled task even after cleanup, maintaining persistence while minimising observable logs. To counter the threat, Microsoft recommends measures including auditing cron jobs, restricting shell execution, and monitoring for unusual login activity. 3 April 2026.