‘CanisterWorm’ Springs Wiper Attack Targeting Iran

A financially motivated threat group called TeamPCP has launched a sophisticated wiper campaign targeting Iranian systems using a self-propagating worm dubbed 'CanisterWorm.' The attack spreads through poorly secured cloud services by exploiting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. The wiper specifically targets systems with Iran's timezone or Farsi language settings, destroying data on local machines and entire Kubernetes clusters. Prior to this attack, TeamPCP executed a supply chain attack against Aqua Security's Trivy vulnerability scanner, injecting credential-stealing malware into official releases to harvest SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. The group uses Internet Computer Protocol (ICP) canisters to orchestrate attacks, making infrastructure takedown difficult. Organizations should immediately audit cloud configurations, apply security patches, and monitor for unusual activity in CI/CD pipelines.

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran's time zone or have Farsi set as the default language.

A financially motivated threat group called TeamPCP has launched a sophisticated wiper campaign targeting Iranian systems using a self-propagating worm dubbed 'CanisterWorm.' The attack spreads through poorly secured cloud services by exploiting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. The wiper specifically targets systems with Iran's timezone or Farsi language settings, destroying data on local machines and entire Kubernetes clusters. Prior to this attack, TeamPCP executed a supply chain attack against Aqua Security's Trivy vulnerability scanner, injecting credential-stealing malware into official releases to harvest SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. The group uses Internet Computer Protocol (ICP) canisters to orchestrate attacks, making infrastructure takedown difficult. Organizations should immediately audit cloud configurations, apply security patches, and monitor for unusual activity in CI/CD pipelines. A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran's time zone or have Farsi set as the default language. A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language. Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP . In December 2025, the group began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram. A snippet of the malicious CanisterWorm that seeks out and destroys data on systems that match Iran’s timezone or have Farsi as the default language. Image: Aikido.dev. In a profile of TeamPCP published in January, the security firm Flare said the group weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers. “TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,” Flare’s Assaf Morag wrote . “The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.” On March 19, TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security , injecting credential-stealing malware into official releases on GitHub actions. Aqua Security said it has since removed the harmful files, but the security firm Wiz notes the attackers were able to publish malicious versions that snarfed SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets from users. Over the weekend, the same technical infrastructure TeamPCP used in the Trivy attack was leveraged to deploy a new malicious payload which executes a wiper attack if the user’s timezone and locale are determined to correspond to Iran, said Charlie Eriksen , a security researcher at Aikido . In a blog post published on Sunday, Eriksen said if the wiper component detects that the victim is in Iran and has access to a Kubernetes cluster, it will destroy data on every node in that cluster. “If it doesn’t it will just wipe the local machine,” Eriksen told KrebsOnSecurity. Image: Aikido.dev. Aikido refers to TeamPCP’s infrastructure as “ CanisterWorm ” because the group orchestrates their campaigns using an Internet Computer Protocol (ICP) canister — a system of tamperproof, blockchain-based “smart contracts” that combine both code and data. ICP canisters can serve Web content directly to visitors, and their distributed architecture makes them resistant to takedown attempts. These canisters will remain reachable so long as their operators continue to pay virtual currency fees to keep them online. Eriksen said the people behind TeamPCP are bragging about their exploits in a group on Telegram and claim to have used the worm to steal vast amounts of sensitive data from major companies, including a large multinational pharmaceutical firm. “When they compromised Aqua a second time, they took a lot of GitHub accounts and started spamming these with junk messages,” Eriksen said. “It was almost like they were just showing off how much access they had. Clearly, they have an entire stash of these credentials, and...