Threat actors are increasingly using HTTP cookies as a
control channel for PHP-based web shells on Linux servers and to
achieve remote code execution, according to findings from the
Microsoft Defender Security Research Team. "Instead of
exposing command execution through URL parameters or request
bodies, these web shells rely on threat actor-supplied cookie
values to gate execution,
Read more https://thehackernews.com/2026/04/microsoft-details-cookie-controlled-php.html
