AAMicrosoft posted this yesterday, if you missed it:
Microsoft: Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments https://www.microsoft.com/en-us/security/blog/2026/04/02/cookie-controlled-php-webshells-tradecraft-linux-hosting-environments/ #infosec #Linux #Microsoft #threatresearch
Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments | Microsoft Security Blog
Cookie-gated PHP webshells use obfuscation, php-fpm execution, and cron-based persistence to evade detection in Linux hosting environments. This post examines how this tradecraft conceals execution behind specially crafted HTTP cookies.