What are cookie-controlled PHP web shells?

They're PHP scripts on Linux servers that use HTTP cookie values as commands, staying hidden until triggered—persisting via cron jobs for remote control.

How do attackers persist PHP web shells with cron?

They set a cron job to periodically recreate an obfuscated loader file; it activates only on specific cookies, surviving deletions.

Are Linux servers safe from cookie web shells?

No—hosted environments with cPanels are hit hardest. Audit crons, enforce MFA, monitor file creates to mitigate.

🎯 Threat Intelligence

Microsoft Unmasks Cookie-Driven PHP Shells Lurking in Linux Crons

Attackers are hijacking cookies to puppet PHP web shells on Linux servers, staying dormant until pinged. Microsoft's latest intel shows cron jobs making them nearly unkillable.

Threat Digest Apr 03, 2026 3 min read 21 views

Read in: Deutsch English Español Français Italiano 日本語 한국어 Português (BR) Русский Türkçe

Diagram of cookie-triggered PHP web shell persisting via cron on Linux server

⚡ Key Takeaways

Threat actors use HTTP cookies to stealthily control PHP web shells on Linux, activating only on specific values. 𝕏
Cron jobs enable self-healing persistence, recreating shells even after removal. 𝕏
Microsoft urges MFA, cron audits, and file monitoring to counter this low-noise tradecraft. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#Linux servers #PHP web shells #cookie-controlled malware #cron persistence

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Coca-Cola and Ferrari Job Offers Hijacking Your Google Accounts in Real Time

Venom PhaaS Powers Ruthless Credential Grabs from C-Suite Targets

53% of Firms Run Critically Outdated Mobile OS—Attack Surface Explodes

SparkCat's Sneaky Return: App Store Apps Now Hunt Your Crypto Seed Phrases

Stay in the loop