Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

Microsoft Defender Security Research documents a campaign in which attackers deploy obfuscated PHP webshells that remain dormant until activated by specific HTTP cookie values; variants include layered loaders, direct cookie-driven stages, and single-script interactive shells. The actors often establish durable persistence in shared hosting via cron jobs (self-healing re-creation of loaders) and abuse legitimate admin interfaces (for example, cPanel jailshell), while using base64 reconstruction and runtime function assembly to evade detection. The report includes MITRE ATT&CK mappings, Kusto advanced-hunting queries to surface suspicious behaviors (web servers spawning shells, base64 writing .php files, cron patterns), and detailed mitigation recommendations for hosting account hardening, restricting web-server shell execution, auditing scheduled tasks, and enabling Defender Linux protections.