my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Blog / #microsoft-defender

Delete This Web Shell and It Grows Back. Thanks, Cron.

John Z Black Apr 4, 2026

Threat Intelligence #webshell #php #cookie-c2 #linux #persistence #microsoft-defender

Microsoft found PHP web shells that take commands through cookies instead of URLs. Delete them and a cron job rebuilds them. Your WAF probably can't see any of it.

Read More