CanisterWorm Wiper Campaign: TeamPCP Targets Iranian Cloud Infrastructure

<h2>Introduction: A New Cyber Threat Emerges</h2><p>A financially motivated cybercrime group known as TeamPCP has escalated its activities by deploying a wiper attack aimed at systems located in Iran. The malware, dubbed <strong>CanisterWorm</strong>, spreads through misconfigured cloud services and wipes data on machines that operate in Iran's time zone or have Farsi set as the default language. This campaign, which surfaced in mid-March 2025, marks a shift from the group's earlier focus on data theft and extortion to more destructive operations.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2021/03/kos-27-03-2021.jpg" alt="CanisterWorm Wiper Campaign: TeamPCP Targets Iranian Cloud Infrastructure" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure><h2>Background of TeamPCP</h2><p>TeamPCP first gained attention in December 2025 when it began compromising corporate cloud environments using a self-propagating worm. The group targeted exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Their modus operandi involved lateral movement across victim networks, stealing authentication credentials, and extorting victims via Telegram. A January 2025 profile by security firm <strong>Flare</strong> characterized TeamPCP as a group that does not rely on novel exploits but instead industrializes known attack techniques, leveraging automated tools to turn exposed infrastructure into a criminal ecosystem. According to Flare's analysis, Azure (61%) and AWS (36%) accounted for 97% of compromised servers, highlighting their focus on cloud infrastructure rather than end-user devices.</p><h2>The CanisterWorm Attack</h2><p>Over the weekend of March 22–23, 2025, security researcher Charlie Eriksen from <strong>Aikido</strong> identified a new payload deployed using the same technical infrastructure that TeamPCP had used in a recent supply chain attack. The payload, named CanisterWorm after the Internet Computer Protocol (ICP) canisters used for orchestration, performs a wiper attack based on the victim's geographic and language settings. If the system's time zone corresponds to Iran or the default language is Farsi, the worm activates destructive routines. In environments with access to a Kubernetes cluster, it wipes data on every node in that cluster; otherwise, it wipes the local machine.</p><h3>How CanisterWorm Spreads</h3><p>The worm propagates through poorly secured cloud services, scanning for exposed Docker APIs, Kubernetes environments, Redis instances, and the React2Shell vulnerability. Once inside, it attempts to move laterally by harvesting credentials and exploiting misconfigurations. TeamPCP's use of tamperproof blockchain-based smart contracts (ICP canisters) makes their command-and-control infrastructure resilient to takedowns.</p><h2>Connection to the Trivy Supply Chain Attack</h2><p>On March 19, 2025, TeamPCP executed a supply chain attack against <strong>Aqua Security's</strong> Trivy vulnerability scanner. They injected credential-stealing malware into official releases on GitHub Actions. Aqua Security removed the harmful files, but <strong>Wiz</strong> researchers noted that the attackers published malicious versions that exfiltrated SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. The same infrastructure used in that attack was later repurposed to deploy the CanisterWorm wiper payload.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2026/03/aikido-iranwiper.png" alt="CanisterWorm Wiper Campaign: TeamPCP Targets Iranian Cloud Infrastructure" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure><h3>Technical Details of the Wiper</h3><p>According to Eriksen's blog post, the wiper component checks the victim's locale and time zone. It executes destructive commands that erase files and volumes. The malware is designed to cause maximum damage to Iranian systems, aligning with geopolitical tensions in the region. Despite TeamPCP's original financial motivation, this operation suggests a possible injection into the ongoing Iran conflict, either by choice or through partnership with state-aligned actors.</p><h2>Implications for Cloud Security</h2><p>The rise of groups like TeamPCP underscores the importance of securing cloud infrastructure. Their methods—automating exploitation of known vulnerabilities and misconfigurations—are a wake-up call for organizations relying on Docker, Kubernetes, and other cloud-native technologies. Security teams should prioritize hardening APIs, applying patches promptly, and monitoring for unusual lateral movement. The use of blockchain-based canisters for command-and-control also presents new challenges for takedown efforts.</p><h3>Recommendations for Defenders</h3><ul><li>Immediately audit exposure of Docker APIs, Kubernetes clusters, and Redis servers to the internet.</li><li>Implement network segmentation and strict access controls to limit lateral movement.</li><li>Regularly review GitHub Actions workflows for unexpected changes or malicious commits.</li><li>Enable detailed logging and anomaly detection for cloud environments.</li></ul><h2>Conclusion</h2><p>The CanisterWorm wiper campaign represents a dangerous evolution in TeamPCP's criminal portfolio. While their previous activities focused on data theft and extortion, this wiper attack demonstrates a willingness to cause destructive damage, specifically targeting Iranian systems. As the group continues to industrialize cloud exploitation, organizations worldwide must remain vigilant against such threats. The incident also highlights the growing trend of cybercriminals aligning their operations with geopolitical conflicts, blurring the lines between financial crime and cyberwarfare.</p><p><em>For more details, see the original analysis by Aikido's Charlie Eriksen <a href="#">here</a> (external link) or the Flare profile on TeamPCP.</em></p>