Microsoft Just Exposed a Sneaky Hacker Trick That's Hijacking Linux Servers

Microsoft has revealed a stealthy cyberattack method where hackers use PHP web shells controlled by cookies to maintain long-term access to Linux servers through cron jobs. This technique bypasses traditional detection, making it a growing threat for organizations relying on remote access.

Key Takeaways

• Hackers are using PHP web shells that hide in plain sight on Linux servers
• These shells are activated via browser cookies, making them hard to detect
• Cron jobs give attackers persistent access even after reboots
• The rise of AI in cyberattacks is shrinking response times
• Remote access systems have become the top entry point for breaches

In This Article

• The Discovery: How Microsoft Found the Hack
• How the Web Shell Works: Cookies as Secret Passwords
• Staying Power: Cron Jobs Keep Hackers in Control
• Bigger Picture: Why This Attack Fits a Dangerous Trend

The Discovery: How Microsoft Found the Hack

In a recent deep-dive, Microsoft uncovered a sophisticated attack strategy that's been flying under the radar. Threat actors are sneaking malicious PHP scripts onto Linux-based web servers, and they're using clever tricks to stay hidden.

• The attack starts when hackers exploit weak security in web applications to upload a PHP file, which acts like a secret backdoor
• Unlike typical malware, this backdoor doesn't call home loudly—it waits silently for commands
• The malicious script blends in with legitimate files, making it tough for admins to spot

How the Web Shell Works: Cookies as Secret Passwords

What makes this attack so sneaky is how it's triggered. Instead of using obvious network requests, it listens for special instructions hidden in something you'd never suspect: browser cookies.

• When a hacker wants to take control, they send a specially crafted HTTP cookie with their command embedded
• The PHP script checks incoming cookies, and if it sees the secret signal, it springs to life
• Since no direct connection to a command server is needed, firewalls and monitoring tools often miss the activity

Staying Power: Cron Jobs Keep Hackers in Control

Most attacks fail once a server restarts or the session ends. But not this one. The hackers ensure they always have access—thanks to a Linux feature called cron.

• Cron is a built-in scheduler that runs tasks at set times, like daily backups or system updates
• The attackers add their malicious script to the cron table, so it automatically reactivates every few minutes
• Even if the web shell file is removed, the cron job can re-download it, making cleanup extremely difficult

Bigger Picture: Why This Attack Fits a Dangerous Trend

This isn't just one clever hack—it's part of a larger shift in how cyberattacks are evolving, especially with the rise of AI and remote work.

• According to the Zscaler 2026 VPN Risk Report, AI is accelerating attacks so fast that humans can't respond in time
• Remote access tools, once convenient, have become the easiest path for hackers to break in
• Automated, persistent threats like this PHP web shell are becoming the new norm

“AI collapsed the human response window and turned remote access into the fastest path to breach.”

— Zscaler ThreatLabz, 2026 VPN Risk Report with Cybersecurity Insiders

Final Thoughts

As attackers get smarter with tools like cookie-driven web shells and cron-based persistence, organizations must level up their defenses. The era of relying on basic server monitoring is over—real-time detection, AI-powered threat hunting, and strict access controls are now essential to stay ahead.

Sources & Credits

Originally reported by The Hacker News — The Hacker News