{"id":60421,"date":"2026-04-02T15:37:22","date_gmt":"2026-04-02T15:37:22","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146255"},"modified":"2026-04-02T15:37:22","modified_gmt":"2026-04-02T15:37:22","slug":"cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/","title":{"rendered":"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-1c50ecf2-5e67-4863-97c3-84da4dc12d16\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-1c50ecf2-5e67-4863-97c3-84da4dc12d16\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">Threat actors are increasingly abusing HTTP cookies as a control channel for PHP-based webshells on Linux servers. Instead of exposing command execution through URL parameters or request bodies, these webshells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality.<\/p>\n<p class=\"wp-block-paragraph\">This approach reduces visibility by allowing malicious code to remain dormant during normal application behavior and execute only when specific cookie conditions are met. This technique has been observed across multiple execution contexts, including web requests, scheduled tasks, and trusted background workers.<\/p>\n<p class=\"wp-block-paragraph\">The consistent use of cookies as a control mechanism suggests reuse of established webshell tradecraft. By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls.<\/p>\n<h2 class=\"wp-block-heading\" id=\"cookie-controlled-execution-behavior\">Cookie-controlled execution behavior<\/h2>\n<p class=\"wp-block-paragraph\">Across the activity analyzed, HTTP cookies acted as the primary trigger for malicious execution. Instead of exposing functionality through visible URL parameters or request bodies, the webshell logic remained dormant unless specific cookie values were present. Only when those conditions were satisfied did the script reconstruct and execute threat actor\u2013controlled behavior.<\/p>\n<p class=\"wp-block-paragraph\">Threat actors likely prefer this approach because cookies blend into normal web traffic and often receive less scrutiny than request paths or payloads. In PHP, cookie values are immediately available at runtime, for example through the $_COOKIE superglobal, allowing malicious code to consume attacker-supplied input without additional parsing. By shifting execution control into cookies, the webshell can remain hidden in normal traffic, activating only during deliberate interactions. This reduces routine logging and inspection visibility while enabling persistent access without frequent changes to files on disk.<\/p>\n<h2 class=\"wp-block-heading\" id=\"observed-variants-of-cookie-controlled-php-web-shells\">Observed variants of cookie-controlled PHP&nbsp;web shells<\/h2>\n<p class=\"wp-block-paragraph\">Although the core technique remained consistent across incidents, the PHP implementations varied in structure and complexity. The following examples illustrate how attackers adapted the same cookie-controlled execution model across different environments.&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"loader-with-execution-gating-and-layered-obfuscation\">Loader with execution gating and layered obfuscation<\/h3>\n<p class=\"wp-block-paragraph\">One observed implementation introduced an&nbsp;additional&nbsp;execution gate before processing any cookie input. The loader first evaluated request context and reconstructed core PHP functions dynamically using arithmetic operations and string manipulation. Sensitive function names were intentionally absent in cleartext, significantly reducing&nbsp;obvious&nbsp;indicators&nbsp;and complicating&nbsp;pattern-based detection.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">After the&nbsp;initial&nbsp;base64 decoding, the PHP script did not&nbsp;immediately&nbsp;reveal obvious command functionality. Instead, it exposed a second, deliberate layer of obfuscation. Critical operations were rebuilt programmatically at runtime, with function names and execution logic assembled character-by-character. This design ensured that meaningful&nbsp;behavior&nbsp;remained concealed until execution conditions were satisfied.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp\" alt class=\"wp-image-146260 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp\"><\/figure>\n<p class=\"wp-block-paragraph\">Only after&nbsp;these runtime&nbsp;checks passed did the script begin parsing structured cookie input. Cookie values were segmented and transformed into function identifiers, file paths, and decoding routines. If a secondary payload was not already present, the loader reconstructed it from encoded data, wrote it to a dynamically determined location, and transferred execution using&nbsp;\u2018include\u2019.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">This layered approach separated deployment, obfuscation, and activation into distinct stages. Under routine traffic, the file appeared inert. When supplied with deliberate&nbsp;attacker-controlled input, however, it transitioned into a fully functional execution framework.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-69.webp\" alt class=\"wp-image-146261 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-69.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"direct-cookie-driven-payload-stager\">Direct cookie-driven payload stager<\/h3>\n<p class=\"wp-block-paragraph\">Another observed implementation relied on structured cookie data without extensive preliminary gating. The script segmented cookie input to reconstruct operational components such as file handling and decoding functions. As with the previous loader, it conditionally wrote a secondary payload to disk and executed it if absent.<\/p>\n<p class=\"wp-block-paragraph\">Although simpler in structure, this variant achieved the same objective: staged deployment and execution controlled by cookie values rather than visible request parameters.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-70.webp\" alt class=\"wp-image-146262 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-70.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"cookie-gated-interactive-webshell\">Cookie-gated interactive webshell<\/h3>\n<p class=\"wp-block-paragraph\">A streamlined variant was also observed in which a single cookie value acts as an execution key. When the expected cookie condition is met, the script enables threat actor\u2013controlled actions, including direct execution of supplied input and, in some cases, file upload. Unlike staged loader chains, this implementation operates within a single script and does not rely on a separate secondary payload written to disk.<\/p>\n<p class=\"wp-block-paragraph\">In this design, cookies primarily serve as a validation mechanism rather than a payload container.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-71.webp\" alt class=\"wp-image-146263 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-71.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"observed-attack-flow-persistence-through-scheduled-tasks\">Observed attack flow: Persistence through scheduled tasks<\/h3>\n<p class=\"wp-block-paragraph\">During incident investigation, we analyzed a compromise in which the threat actor prioritized durable, low-noise persistence within a hosted Linux environment. After obtaining access to the victim\u2019s hosting account, the threat actor used the platform\u2019s legitimate management interface, such as a control panel workflow, to register a cron job. In environments that provide restricted shell access, for example via <code>\/usr\/local\/cpanel\/bin\/jailshell<\/code>, authenticated users can execute commands within their account boundary, including registering or launching scheduled tasks. Because these actions follow normal administrative paths, they appear as routine account-level operations rather than overt system modifications.<\/p>\n<p class=\"wp-block-paragraph\">In shared hosting scenarios, this level of access is typically equivalent to user-level control within the account\u2019s isolated environment. While it does not indicate root-level compromise or control of the underlying server, it provides sufficient capability to modify web content, deploy PHP scripts, and schedule recurring execution through cron. These permissions are often enough to convert temporary access into persistent remote code execution within the hosted account.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-72.webp\" alt class=\"wp-image-146266 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-72.webp\"><\/figure>\n<p class=\"wp-block-paragraph\">As illustrated in the diagram, the cron job executed at regular intervals and invoked a shell routine that reconstructed an obfuscated PHP loader into a web-accessible location. This behavior was intentionally implemented to maintain persistence. If the loader was removed, the scheduled task recreated it on the next execution cycle. The job also applied restrictive file permissions, making manual modification or removal more difficult during incident response.<\/p>\n<p class=\"wp-block-paragraph\">This \u201cself-healing\u201d mechanism, controlled by the threat actor, allowed the malicious file to reappear after cleanup attempts, complicating remediation and enabling a more stable foothold within the affected hosting account.<\/p>\n<p class=\"wp-block-paragraph\">Once deployed, the PHP loader followed the same low-visibility pattern described earlier. It remained inactive during normal traffic and activated only when specific cookie conditions were met. On activation, it dynamically rebuilt functionality at runtime and transferred execution to threat actor\u2013controlled logic. By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs.<\/p>\n<h3 class=\"wp-block-heading\" id=\"commonalities-and-delivery-methods\">Commonalities and delivery methods<\/h3>\n<p class=\"wp-block-paragraph\">Across the activity analyzed, a consistent operational pattern emerged. While individual implementations varied in structure, each relied on multi-layer obfuscation to conceal sensitive functionality and cookie-gated execution to control activation. Under routine traffic conditions, the scripts remained dormant. Only when specific cookie values were supplied did the malicious logic reconstruct and execute. Whether deployed as a staged loader or an interactive webshell, the objective remained consistent: controlled activation with minimal observable footprint.<\/p>\n<p class=\"wp-block-paragraph\">The delivery mechanism followed a similarly deliberate design. In multiple environments, web-facing processes such as php-fpm spawned shell commands that reconstructed obfuscated PHP files using the recognizable <code>echo | base64 -d &gt; file.php<\/code> pattern. In other cases, equivalent commands were executed within restricted shell environments, such as through cPanel jailshell, or established via scheduled tasks at the hosting account level.<\/p>\n<p class=\"wp-block-paragraph\">Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code. The repeated use of base64 reconstruction combined with multi-layer runtime obfuscation separated deployment, concealment, and activation into distinct phases. This layered design allowed the malicious code to blend into normal operational activity while maintaining reliable remote code execution.<\/p>\n<h3 class=\"wp-block-heading\" id=\"why-persistence-enables-long-term-remote-code-execution\">Why persistence enables long-term remote code execution<\/h3>\n<p class=\"wp-block-paragraph\">In the attacks analyzed, persistence was deliberate, not incidental. Rather than depending on a single exploit or a short-lived foothold, the threat actor turned initial access into a repeatable mechanism for remote code execution (RCE). By combining scheduled tasks with obfuscated PHP loaders, they preserved the ability to execute code even after the original entry point was remediated or access paths were disrupted.<\/p>\n<p class=\"wp-block-paragraph\">Persistent RCE provides long-term flexibility. It allows threat actors to return on demand to run additional commands, deploy follow-on payloads, alter application behavior, or pivot to other resources without repeatedly re-triggering the same exploit chain. This reduces operational risk and can limit the number of noisy intrusion attempts that might otherwise raise alerts.<\/p>\n<p class=\"wp-block-paragraph\">In shared hosting environments, account-level access is often sufficient to create scheduled tasks, modify web content, and run arbitrary PHP within the affected site\u2019s boundaries. When execution is further protected behind cookie-gated activation, the malicious logic can remain dormant during routine activity and activate only when the threat actor supplies the correct input. Over time, this durable access can support data theft, expansion to adjacent applications, or compromise of connected services, often with minimal visible disruption.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft recommends the following mitigations to reduce the impact of PHP&nbsp;webshell\u2013based compromises discussed in this report. These recommendations build on established guidance from&nbsp;previous&nbsp;Microsoft Defender research and align with protections available across Microsoft Defender XDR to help organizations prevent, detect, and respond to post-compromise&nbsp;web shell&nbsp;activity targeting web servers and application workloads.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Strengthen Hosting Account Security<\/strong>&nbsp;<br \/>Enforce multi-factor authentication for hosting control panels, SSH access, and&nbsp;administrative interfaces. Monitor for unusual login activity, particularly from unfamiliar IP addresses or geographies, as compromised account credentials are often sufficient to deploy&nbsp;webshells&nbsp;and create persistence mechanisms.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Restrict Web Server Process Execution<\/strong>&nbsp;<br \/>Limit the ability of&nbsp;web\u2011facing&nbsp;services such as&nbsp;php\u2011fpm&nbsp;or application worker workloads to spawn shell processes. Restrict the execution of shell interpreters (sh, bash, dash) and commonly abused encoding or file ingress utilities such as base64, curl, and&nbsp;wget&nbsp;from web server execution contexts unless they are explicitly required by the application.&nbsp;&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Advanced Hunting can be used to surface cases where web server workloads spawn shell interpreters or execute encoded or&nbsp;file\u2011retrieval&nbsp;commands, as these patterns provide&nbsp;high\u2011signal&nbsp;indicators of&nbsp;webshell&nbsp;execution and command injection attempts.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Audit and Monitor Scheduled Tasks<\/strong>&nbsp;<br \/>Regularly review account\u2011level&nbsp;cron&nbsp;jobs and scheduled tasks across web servers and application hosts. Unexpected entries that invoke shell commands or write files into web\u2011accessible directories may&nbsp;indicate&nbsp;persistence mechanisms used to deploy, restore, or re\u2011activate malicious&nbsp;webshell&nbsp;loaders.&nbsp;&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Advanced Hunting can be used to&nbsp;identify&nbsp;cron\u2011initiated execution patterns, including unusually short execution intervals (for example, recurring one\u2011minute jobs) and command lines associated with file creation, script execution, encoding utilities, or file ingress tools. These&nbsp;behaviours&nbsp;are commonly&nbsp;observed&nbsp;during&nbsp;web shell&nbsp;persistence and recovery activity following initial compromise&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Inspect Suspicious File Creation in Web Directories<\/strong>&nbsp;<br \/>Focus on suspicious content deployment into web directories by&nbsp;monitoring&nbsp;the command\u2011line techniques used to write or retrieve files, rather than relying on file creation telemetry alone. Attackers&nbsp;frequently&nbsp;deploy PHP web shells by decoding obfuscated payloads inline (for example, using echo piped to base64 -d with output redirection) or by downloading scripts via file ingress tools such as curl or&nbsp;wget&nbsp;from web server or application execution contexts.&nbsp;&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Advanced Hunting can be used to&nbsp;identify&nbsp;these&nbsp;behaviors&nbsp;by querying process execution events for decoding pipelines, redirection operators, or network retrieval utilities associated with web-facing workloads, providing high\u2011signal visibility into&nbsp;webshell&nbsp;deployment activity.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Limit Control Panel Shell Capabilities<\/strong>&nbsp;<br \/>Where hosting control panels are used, restrict or disable shell access&nbsp;such as&nbsp;jailshell&nbsp;wherever possible. If shell access is&nbsp;required, enforce strict access controls and closely&nbsp;monitor&nbsp;command execution to reduce the risk of attackers abusing these environments to deploy or interact with malicious PHP loaders and&nbsp;webshells.<\/p>\n<p class=\"wp-block-paragraph\">Advanced hunting queries that track command execution from control panel&nbsp;restricted shells can help&nbsp;identify&nbsp;abuse patterns in which attackers&nbsp;leverage&nbsp;legitimate hosting features to&nbsp;maintain&nbsp;access or execute post-compromise tooling.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Microsoft recommends the following mitigations to reduce the impact of this threat in Linux environments protected by Microsoft Defender for Endpoint:&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Enable cloud-delivered protection<\/strong>&nbsp;in Microsoft Defender for Endpoint on Linux or the equivalent capability in your antivirus solution. Cloud-based protection helps rapidly detect and block emerging attacker tools, including newly deployed PHP&nbsp;webshells&nbsp;and post-compromise scripts that may evade traditional signature-based detection.&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Ensure real-time protection is enabled<\/strong>&nbsp;on Linux servers to continuously scan files written to disk, including web directories commonly targeted during PHP&nbsp;web shell&nbsp;deployment (such as \/var\/www, application upload paths, and temporary directories).&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Enable&nbsp;behaviour&nbsp;monitoring<\/strong>&nbsp;to detect suspicious runtime activity associated with&nbsp;webshell&nbsp;abuse, such as anomalous child processes spawned by web server processes, execution of system utilities from PHP interpreters, credential access attempts, or data staging and exfiltration&nbsp;behaviours.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Customers with provisioned access can also use&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/security-copilot-in-microsoft-365-defender\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Copilot in Microsoft Defender<\/a>&nbsp;to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. Security teams can&nbsp;leverage&nbsp;Copilot to&nbsp;assist&nbsp;with the analysis and interpretation of obfuscated or heavily encoded scripts, helping accelerate triage and improve understanding of attacker tradecraft during web shell and post-compromise investigations.&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"20\">\n<tr readability=\"4\">\n<td><strong>Tactic<\/strong>\u202f\u202f\u202f&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>\u202f\u202f\u202f&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>\u202f\u202f\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"12\">\n<td>Initial Access,&nbsp;Execution,&nbsp;Defense Evasion\u202f&nbsp;<\/td>\n<td>An obfuscated or encoded script is executed by the&nbsp;cron&nbsp;service,&nbsp;indicating&nbsp;suspicious scheduled execution activity potentially used to bypass direct user interaction and evade detection.&nbsp;&nbsp;<\/td>\n<td><strong>Microsoft Defender&nbsp;for Endpoint<\/strong>\u202f&nbsp;Suspicious script launched,&nbsp;Suspicious shell command execution&nbsp;Suspicious file and directory permission modification&nbsp;<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Execution&nbsp;Persistence&nbsp;<\/td>\n<td>A new&nbsp;cron&nbsp;job is created by a hosting control panel process (such as cPanel), to&nbsp;establish&nbsp;persistence by scheduling recurring execution of attacker-controlled&nbsp;commands or scripts without further user interaction.&nbsp;&nbsp;<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong>\u202f&nbsp;Suspicious&nbsp;cron&nbsp;job&nbsp;Suspicious execution of elevated process&nbsp;<strong><\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Persistence&nbsp;<\/td>\n<td>A PHP file (for example,&nbsp;index.php) is dropped or&nbsp;modified&nbsp;in a web-accessible directory, suggesting the deployment of a server-side script that may be used to execute arbitrary commands or&nbsp;maintain&nbsp;long-term access to the web server&nbsp;<\/td>\n<td><strong>Microsoft Defender for Endpoint<\/strong>\u202f&nbsp;Possible Web Server&nbsp;compromise activity&nbsp;<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>\u202fPersistence&nbsp;<\/td>\n<td>\u202fA PHP&nbsp;webshell&nbsp;file (such as&nbsp;index.php) is written to disk and identified as active malware,&nbsp;indicating&nbsp;confirmation of server-side backdoor deployment intended for remote command execution via HTTP requests.&nbsp;<\/td>\n<td><strong>Microsoft Defender Antivirus<\/strong>&nbsp;An active \u2018Webshell\u2019 malware was blocked&nbsp;\u2018WebShell\u2019 malware was prevented&nbsp;An active \u2018Obfuse\u2019 malware was blocked&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"microsoft-security-copilot-prompts\">Microsoft Security Copilot&nbsp;prompts<\/h2>\n<p class=\"wp-block-paragraph\">Security Copilot customers can use the standalone experience to&nbsp;<a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\" target=\"_blank\" rel=\"noreferrer noopener\">create their own prompts<\/a>&nbsp;or run the following&nbsp;<a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\" target=\"_blank\" rel=\"noreferrer noopener\">prebuilt promptbooks<\/a>&nbsp;to automate incident response or investigation tasks related to this threat:&nbsp;&nbsp;&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Incident investigation&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Microsoft User analysis&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Threat actor profile&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Threat Intelligence 360 report based on MDTI article&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Vulnerability impact assessment&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-threat-analytics\">Microsoft Defender XDR threat analytics<\/h2>\n<h3 class=\"wp-block-heading\" id=\"advanced-hunting-queries\"><strong>Advanced&nbsp;Hunting queries&nbsp;&nbsp;&nbsp;<\/strong>&nbsp;<\/h3>\n<p class=\"wp-block-paragraph\"><strong>Web Server Spawning Shell<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"22\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where InitiatingProcessFileName in~ (\"php-fpm\", \"httpd\", \"apache2\", \"nginx\") | where FileName in~ (\"bash\", \"sh\", \"dash\") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath | order by Timestamp desc <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Base64 Decode Writing PHP File<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"18\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where FileName in~ (\"bash\", \"sh\", \"dash\", \"jailshell\") | where ProcessCommandLine has \"base64\" | where ProcessCommandLine has \".php\" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>tee Writing PHP Files<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"13\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where ProcessCommandLine has \"tee\" | where ProcessCommandLine has \".php\" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine | order by Timestamp desc <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>cPanel \/&nbsp;jailshell&nbsp;Abuse<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"16\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where FileName in~ (\"jailshell\", \"cpanel\") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>High-Risk Combined Pattern<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"21\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where InitiatingProcessFileName in~ (\"php-fpm\", \"httpd\", \"apache2\", \"nginx\", \"cron\", \"crond\") | where ProcessCommandLine has \"base64\" | where ProcessCommandLine has_any (\".php\", \"public_html\", \"vendor\") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine | order by Timestamp desc\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Unexpected Shell from Backend Workers<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"16\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where InitiatingProcessCommandLine has_any (\"artisan\", \"queue:work\", \"fwconsole\") | where FileName in~ (\"bash\", \"sh\", \"dash\") | project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine | order by Timestamp desc <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Repeated Execution Pattern (1-Minute Cron)<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"12\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents | where InitiatingProcessFileName in~ (\"cron\", \"crond\") | summarize count() by DeviceName, ProcessCommandLine, bin(Timestamp, 1m) | where count_ &gt; 10 | order by count_ desc\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"mitre-att-ck-techniques-observed\">MITRE ATT&amp;CK\u2122 Techniques observed<\/h2>\n<p class=\"wp-block-paragraph\">This campaign&nbsp;exhibited&nbsp;the following MITRE ATT&amp;CK\u2122 techniques across multiple tactics. For detailed detection and prevention capabilities, see the Microsoft Defender XDR Detections section below.&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"25.5\">\n<tr readability=\"2\">\n<td>Tactic&nbsp;<\/td>\n<td>Technique ID&nbsp;<\/td>\n<td>Technique Name&nbsp;<\/td>\n<td>How it Presents in This Campaign&nbsp;<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Initial Access&nbsp;<\/td>\n<td>T1190&nbsp;<\/td>\n<td>Exploit Public-Facing Application&nbsp;<\/td>\n<td>Attackers gain access through exposed web applications or hosting environments and use that access to introduce server-side tooling that blends into the web stack.&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Persistence&nbsp;<\/td>\n<td>T1505.003&nbsp;<\/td>\n<td>Server Software Component: Web Shell&nbsp;<\/td>\n<td>A PHP&nbsp;webshell&nbsp;is placed in a web-accessible location and designed to remain dormant during normal traffic, enabling long-term access through web requests.&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Defense&nbsp;Evasion&nbsp;<\/td>\n<td>T1027&nbsp;<\/td>\n<td>Obfuscated\/Encrypted File or Information&nbsp;<\/td>\n<td>Payloads and scripts are obfuscated or encoded (for example, high-entropy strings and base64-encoded blobs) to reduce inspection and evade simple content-based detections.&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Defense&nbsp;Evasion&nbsp;<\/td>\n<td>T1140&nbsp;<\/td>\n<td>Deobfuscate\/Decode Files or Information&nbsp;<\/td>\n<td>Attackers decode inline payloads at runtime, such as echo &lt;blob&gt; | base64 -d &gt; &lt;file&gt; to reconstruct PHP content on disk with minimal interactive footprint.&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Command and Control&nbsp;<\/td>\n<td>T1105&nbsp;<\/td>\n<td>Ingress Tool Transfer&nbsp;<\/td>\n<td>Additional&nbsp;files or second-stage scripts are retrieved using file ingress utilities such as curl or&nbsp;wget, often writing directly into web directories or application paths.&nbsp;<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td>Execution&nbsp;<\/td>\n<td>T1059.004&nbsp;<\/td>\n<td>Command and Scripting Interpreter: Unix Shell&nbsp;<\/td>\n<td>Web-facing workloads (for example,&nbsp;php-fpm, apache2, nginx) spawn shell interpreters (sh, bash, dash) to execute attacker-provided commands from&nbsp;webshell&nbsp;logic or injected requests.&nbsp;<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>Persistence&nbsp;<\/td>\n<td>T1053.003&nbsp;<\/td>\n<td>Scheduled Task\/Job: Cron&nbsp;<\/td>\n<td>Persistence is&nbsp;established&nbsp;via&nbsp;cron, including jobs created by hosting tooling (for example, cPanel) and recurring execution patterns (including short intervals such as one-minute loops).&nbsp;<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Defense&nbsp;Evasion&nbsp;<\/td>\n<td>T1222.002&nbsp;<\/td>\n<td>File and Directory Permissions Modification&nbsp;<\/td>\n<td>File or directory permissions are&nbsp;modified&nbsp;to enable write\/execute access in web paths or to ensure persistence artifacts&nbsp;remain&nbsp;accessible to the compromised runtime context.&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<p class=\"wp-block-paragraph\"><em>This research is provided by Microsoft Defender Security Research with contributions from\u202fYashashree Gund&nbsp;and other members of Microsoft Threat Intelligence.<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p class=\"wp-block-paragraph\">Review\u202four\u202fdocumentation\u202fto learn\u202fmore about our real-time protection capabilities and see how\u202fto\u202fenable them within your\u202forganization.\u202f\u202f&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/real-time-agent-protection-during-runtime\" target=\"_blank\" rel=\"noreferrer noopener\">Protect your agents in real-time during runtime (Preview) \u2013 Microsoft Defender for Cloud Apps<\/a><\/p>\n<p class=\"wp-block-paragraph\">Explore\u202f<a href=\"https:\/\/eurppc-word-edit.officeapps.live.com\/we\/%E2%80%A2%09https:\/learn.microsoft.com\/en-us\/microsoft-365-copilot\/extensibility\/copilot-studio-agent-builder\" target=\"_blank\" rel=\"noreferrer noopener\">how to build and customize agents with Copilot Studio Agent Builder<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/microsoft-365-copilot-ai-security\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365 Copilot AI security documentation<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/04\/11\/how-microsoft-discovers-and-mitigates-evolving-attacks-against-ai-guardrails\/\" target=\"_blank\" rel=\"noreferrer noopener\">How Microsoft discovers and mitigates evolving attacks against AI guardrails<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/ai-agent-protection\" target=\"_blank\" rel=\"noreferrer noopener\">securing Copilot Studio agents with Microsoft Defender<\/a>\u202f&nbsp;<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/02\/cookie-controlled-php-webshells-tradecraft-linux-hosting-environments\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> Cookie-gated PHP webshells use obfuscation, php-fpm execution, and cron-based persistence to evade detection in Linux hosting environments. This post examines how this tradecraft conceals execution behind specially crafted HTTP cookies.<br \/>\nThe post Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[493],"class_list":["post-60421","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-linux"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-02T15:37:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments\",\"datePublished\":\"2026-04-02T15:37:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/\"},\"wordCount\":3114,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp\",\"keywords\":[\"Linux\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/\",\"name\":\"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp\",\"datePublished\":\"2026-04-02T15:37:22+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Linux\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/linux\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/","og_locale":"en_US","og_type":"article","og_title":"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-02T15:37:22+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments","datePublished":"2026-04-02T15:37:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/"},"wordCount":3114,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp","keywords":["Linux"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/","url":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/","name":"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp","datePublished":"2026-04-02T15:37:22+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-68.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cookie-controlled-php-webshells-a-stealthy-tradecraft-in-linux-hosting-environments\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Linux","item":"https:\/\/www.threatshub.org\/blog\/tag\/linux\/"},{"@type":"ListItem","position":3,"name":"Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60421"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60421\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}