Skip to main content
List Directory
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Menu
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
TeamPCP Worm Targets Iran with Cloud-Based Data Wipes & Supply Chain Attacks

TeamPCP Worm Targets Iran with Cloud-Based Data Wipes & Supply Chain Attacks

March 25, 2026 Sarah Wu - Tech Editor Tech and Science

A financially motivated cybercrime group is attempting to exploit geopolitical tensions by deploying a wiper attack targeting Iran, utilizing a worm that spreads through vulnerabilities in cloud services. The campaign, dubbed “CanisterWorm,” is designed to erase data from systems configured with Iran’s time zone or using Farsi as the default language. This attack, originating from a relatively new group known as TeamPCP, represents a concerning intersection of financially driven cybercrime and international conflict.

Cloud Infrastructure as a Battleground

TeamPCP first emerged in December 2025, initially focusing on compromising corporate cloud environments. Their approach centers around a self-propagating worm that exploits weaknesses in commonly used cloud infrastructure components, including exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Rather than targeting individual computers, TeamPCP prioritizes gaining access to and weaponizing the control planes of cloud services – the systems that manage the underlying infrastructure. According to a January profile by the security firm Flare, this strategy allows them to compromise a large number of servers with relative efficiency. Assaf Morag of Flare wrote that TeamPCP’s strength lies in “the large-scale automation and integration of well-known attack techniques,” essentially industrializing existing vulnerabilities.

The group’s preference for cloud infrastructure is reflected in the platforms they’ve targeted: Azure (61%) and AWS (36%) account for 97% of compromised servers. This focus highlights the growing importance of securing cloud environments, which often contain vast amounts of sensitive data and provide access to critical systems.

Supply Chain Compromises and Credential Theft

TeamPCP’s activities extend beyond simply exploiting vulnerabilities. They’ve demonstrated a sophisticated ability to execute supply chain attacks, compromising legitimate software to distribute malicious code. On March 19th, they successfully infiltrated the vulnerability scanner Trivy from Aqua Security, injecting credential-stealing malware into official releases on GitHub Actions. While Aqua Security quickly removed the malicious files, security firm Wiz notes that attackers were able to publish malicious versions that harvested SSH keys, cloud credentials, Kubernetes tokens, and even cryptocurrency wallets from unsuspecting users.

This wasn’t an isolated incident. A recent report from Wiz also indicates TeamPCP compromised the KICS vulnerability scanner from Checkmarx, further demonstrating their willingness to target the security industry itself. This tactic allows them to potentially compromise a wide range of organizations that rely on these tools for security assessments.

CanisterWorm: A Geopolitically Targeted Wiper

Over the weekend, TeamPCP leveraged the infrastructure used in the Trivy attack to deploy the CanisterWorm wiper. Developed by security researcher Charlie Eriksen at Aikido, the wiper specifically targets systems that meet two criteria: being located in Iran and having a configured timezone for Iran, or having Farsi set as the default language. If these conditions are met, and the system has access to a Kubernetes cluster, the wiper will destroy data on every node within that cluster. Otherwise, it will wipe the local machine. Eriksen detailed the wiper’s functionality in a blog post on Sunday.

The wiper’s targeting criteria suggest a deliberate attempt to disrupt Iranian organizations, potentially as a form of cyber warfare or to exert political pressure. But, Eriksen notes that the group’s motivations appear complex, blending financial gain with attention-seeking behavior. He observed that TeamPCP members are actively boasting about their exploits on Telegram and claiming to have stolen significant amounts of data from various companies, including a large pharmaceutical firm.

The Internet Computer Protocol and Takedown Resistance

A unique aspect of TeamPCP’s infrastructure is their use of the Internet Computer Protocol (ICP) canisters. These canisters are essentially tamperproof, blockchain-based “smart contracts” that combine code and data. Aikido refers to TeamPCP’s infrastructure as “CanisterWorm” given that of this reliance on ICP. The distributed architecture of ICP canisters makes them highly resistant to takedown attempts, as they are not controlled by a single entity. As long as the operators continue to pay the necessary virtual currency fees, the canisters will remain accessible.

GitHub as a Vector for Malicious Code

TeamPCP’s activities have also highlighted a growing problem with malicious code on GitHub. Security experts believe the group is intentionally spamming GitHub with junk messages to ensure that any code packages tainted with their malware remain prominent in search results. As Catalin Cimpanu wrote in a recent Risky Business newsletter, attackers are increasingly using techniques like meaningless commits and purchasing GitHub stars to boost the visibility of malicious packages. This poses a significant challenge for GitHub’s security team, as the platform’s design encourages forking and cloning of projects, making it difficult to identify and remove malicious additions.

This weekend’s outbreak marks the second major supply chain attack involving Trivy in recent months, following an earlier incident involving the HackerBot-Claw threat. This underscores the vulnerability of the software supply chain and the need for improved security measures.

What Comes Next: Monitoring and Mitigation

The full extent of the damage caused by CanisterWorm remains unclear. Eriksen notes that the malicious code was only active for a short period over the weekend and that the group has been rapidly changing and updating it. However, the incident serves as a stark reminder of the evolving threat landscape and the importance of proactive security measures. Organizations should prioritize securing their cloud infrastructure, implementing robust supply chain security practices, and monitoring for suspicious activity. Specifically, reviewing and restricting access to exposed Docker APIs, Kubernetes clusters, and Redis servers is crucial. Regularly scanning for vulnerabilities and promptly patching systems are also essential steps in mitigating the risk of future attacks. Continued vigilance and information sharing within the security community will be vital in tracking and disrupting TeamPCP’s activities.

Recent Posts

  • Madison Keys vs. Hanne Vandewinkel Live: French Open 2026 TV Schedule and Streaming Guide
  • Our Strict Quality Control Process for Returned Clothing
  • German Business Sentiment Shows Slight Recovery in May According to Ifo Index
  • The 2-week supplement to avoid travel tummy trouble – plus blood clots worries – The Irish Sun
  • Ukraine Achieves Major Battlefield Successes as Russian Casualties Mount

Recent Comments

No comments to show.
List Directory

List-Directory is a comprehensive directory of businesses and services across the United States. Find what you need, when you need it.

Quick Links

  • Home
  • Privacy Policy
  • Terms of Service

Browse by State

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado

Connect With Us

Official social links will appear here when available.

List-directory.com
For contact, advertising, copyright, issues email: [email protected]

Privacy Policy Terms of Service