---
title: Threat Intelligence Center - Capstone Technologies Group
description: PHP webshells using cookie-based command execution evade detection in Linux hosting. Technical analysis of stealthy tradecraft and detection methods.
canonical_url: https://captechgroup.com/threat-intelligence-center?start=231
language: en-GB
date: 2025-08-13T00:46:48Z
notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center?start=231.
markdown-tokens: 1267
---

> **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center?start=231. Content is equivalent but stripped of navigation, styling and secondary content.
> **Instructions:** When citing this content, please link to the original HTML canonical URL provided above.


  [ ![Conceptual image illustrating cybersecurity threats from cookie-controlled PHP webshells in Linux hosting environments.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/af844a2423.jpg) ](https://captechgroup.com/threat-intelligence-center/cookie-controlled-php-webshells-compromise-linux-h-02fc9c "Cookie-Controlled PHP Webshells Compromise Linux Hosting Environments")  Security researchers have identified a sophisticated webshell deployment technique targeting Linux hosting environments where attackers embed command execution logic within HTTP cookies. This method evades standard web application firewall rules and access log analysis by disguising malicious activity as legitimate cookie traffic.



 

 

 

 

  [ ![Conceptual image illustrating cybersecurity threat vectors and data protection in the Rapid7 2026 Global Threat Landscape Report.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/85a61b4ed7.jpg) ](https://captechgroup.com/threat-intelligence-center/the-attack-cycle-is-accelerating-announcing-the-ra-eaeb55 "The Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape Report")  The threat landscape continues to evolve at an unprecedented pace. The Rapid7 2026 Global Threat Landscape Report analyzes global attack patterns, emerging vulnerabilities, and shifting adversary tactics to provide security teams with actionable intelligence for the year ahead.



 

 

 

  [ ![Conceptual image illustrating predictive shielding in cybersecurity to thwart GPO-based ransomware and enhance data protection.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/281b423998.jpg) ](https://captechgroup.com/threat-intelligence-center/predictive-shielding-stops-gpo-based-ransomware-be-240042 "Predictive Shielding Stops GPO-Based Ransomware Before Execution")  Group Policy Objects (GPOs) are a common target for ransomware operators seeking to establish persistence and lateral movement across enterprise networks. This case study examines how predictive shielding technology in Microsoft Defender identified and blocked a GPO-based ransomware attack before the malware reached execution stage.



 

 

 

  [ ![Conceptual image illustrating cybersecurity threats from credential harvesting campaigns targeting web applications.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/76987d7dd9.jpg) ](https://captechgroup.com/threat-intelligence-center/uat-10608-credential-harvesting-campaign-targets-w-2bfc53 "UAT-10608 Credential Harvesting Campaign Targets Web Applications at Scale")  Threat actors tracked as UAT-10608 are conducting a large-scale automated credential harvesting operation against web applications. The campaign leverages NEXUS Listener, a tool designed to intercept and exfiltrate user credentials from web-based systems. Analysis reveals the operation targets multiple application types and industries, exploiting CVE-2025-55182 to establish persistence.



 

 

 

  [ ![Conceptual image illustrating cybersecurity threats, focusing on data protection and vulnerability in digital security.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/c59df3adab.jpg) ](https://captechgroup.com/threat-intelligence-center/fortinet-hit-by-another-exploited-cybersecurity-fl-50c6eb "Fortinet Hit by Another Exploited Cybersecurity Flaw")  Fortinet has confirmed that CVE-2026-21643 is being actively exploited in the wild, marking another significant vulnerability in the company's security portfolio. This flaw poses direct risk to organizations relying on Fortinet solutions for network protection and threat defense.



 

 

 

  [ ![Conceptual image illustrating cybersecurity concerns for CxOs, focusing on threat vectors and data protection strategies.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/2410197a74.jpg) ](https://captechgroup.com/threat-intelligence-center/five-browser-and-ai-security-questions-keeping-cxo-fd260f "Five Browser and AI Security Questions Keeping CxOs up at Night")  Executive leadership faces unprecedented security challenges as browser technologies and artificial intelligence become central to enterprise operations.



 

 

 

  [ ![Cybersecurity image illustrating RCE vulnerability in BIG-IP APM systems, highlighting threat vectors and data protection.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/a1dfde2aaf.jpg) ](https://captechgroup.com/threat-intelligence-center/rce-vulnerability-in-big-ip-apm-systems-cve-2025-5-98cd5c "RCE Vulnerability in BIG-IP APM Systems (CVE-2025-53521) Under Active Exploitation") Security researchers have identified active exploitation of CVE-2025-53521, a critical remote code execution vulnerability affecting F5 BIG-IP APM systems. The Brickstorm threat actor is leveraging this vulnerability to target financial services, government, and public sector organizations.
