Microsoft has warned about a new type of attack that exploits cookie-controlled PHP web shells for remote code execution on Linux servers. By leveraging HTTP cookies as a control channel, these threats actors can remain dormant during normal application execution and activate malicious functionality only when specific cookie values are present.
The threat landscape continues to evolve, and cybersecurity experts are now warning about a new type of attack that exploits cookie-controlled PHP web shells to gain remote code execution on Linux servers. According to Microsoft Defender Security Research Team, these threats actors are utilizing HTTP cookies as a control channel for PHP-based web shells, allowing them to stay dormant during normal application execution and activate malicious functionality only when specific cookie values are present.
This approach offers added stealth as it leverages the fact that cookie values are available at runtime through the $_COOKIE superglobal variable. This allows attacker-supplied inputs to be consumed without additional parsing, making it a challenging target for security measures. Moreover, the technique is unlikely to raise any red flags since cookies blend into normal web traffic and reduce visibility.
The cookie-controlled execution model comes in different implementations, including:
In at least one case, threat actors have been found to obtain initial access to a victim's hosted Linux environment through valid credentials or the exploitation of a known security vulnerability to set up a cron job that invokes a shell routine periodically to execute an obfuscated PHP loader. This "self-healing" architecture allows the PHP loader to be repeatedly recreated by the scheduled task even if it was removed as part of cleanup and remediation efforts, thereby creating a reliable and persistent remote code execution channel.
"By shifting execution control into cookies, the web shell can remain hidden in normal traffic, activating only during deliberate interactions," Microsoft added. "By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs."
A common aspect that ties together all the aforementioned implementations is the use of obfuscation to conceal sensitive functionality and cookie-based gating to initiate the malicious action, while leaving a minimal interactive footprint. This makes it challenging for security professionals to detect these threats as they rely on legitimate execution paths already present in the environment.
To counter this threat, Microsoft recommends enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces; monitoring for unusual login activity; restricting the execution of shell interpreters; auditing cron jobs and scheduled tasks across web servers; checking for suspicious file creation in web directories; and limiting hosting control panels' shell capabilities.
"The consistent use of cookies as a control mechanism suggests reuse of established web shell tradecraft," Microsoft said. "By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls."
Furthermore, the technique leverages legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code. This approach allows threat actors to bypass complex exploit chains and maintain stealth by blending into normal traffic.