Introduction

A financially motivated cybercrime group known as TeamPCP has escalated its activities by launching a destructive wiper campaign specifically targeting systems in Iran. The attack, which surfaced over the weekend, leverages a self-propagating worm—dubbed CanisterWorm—that spreads through poorly secured cloud services and wipes data on machines set to Iran’s time zone or configured with Farsi as the default language. Security researchers have flagged this as a significant escalation in the group’s tactics, which previously focused on data theft and extortion.

The Emergence of TeamPCP and Their Modus Operandi

TeamPCP is a relatively new cybercrime group that began appearing on the radar in late 2025. Unlike many ransomware gangs that rely on novel exploits, TeamPCP’s strength lies in industrializing widely known vulnerabilities and misconfigurations. According to security firm Flare, the group specializes in “weaponizing exposed control planes” rather than targeting end-user devices. Their primary focus is cloud infrastructure, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.

Exploiting Cloud Misconfigurations

The group’s initial compromise vector involves scanning for exposed APIs and services such as Docker, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Once inside, they move laterally across the victim network, stealing authentication credentials and extorting victims via Telegram. This automated, large-scale approach allows TeamPCP to turn exposed infrastructure into a criminal ecosystem without needing advanced malware.

The CanisterWorm Wiper Campaign

In mid-March 2025, TeamPCP executed a supply chain attack against Aqua Security’s Trivy vulnerability scanner, injecting credential-stealing malware into official GitHub releases. While Aqua Security removed the malicious files, attackers were able to publish versions that stole SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. Over the weekend following that incident, the same technical infrastructure was repurposed to deploy a new payload—the CanisterWorm.

Security researcher Charlie Eriksen from Aikido explained that the worm checks the victim’s time zone and locale. If they correspond to Iran, it activates a wiper component. If the victim has access to a Kubernetes cluster, the worm destroys data on every node; otherwise, it wipes the local machine. The name “CanisterWorm” derives from the group’s use of an Internet Computer Protocol (ICP) canister—tamperproof blockchain-based smart contracts—to orchestrate their campaigns.

Targeting Iranian Systems

The wiper attack specifically targets systems that match Iran’s time zone or have Farsi set as the default language. This geographic targeting suggests either a political motive or a desire to disrupt Iranian infrastructure. The group’s prior financial motivations make it unclear whether this is a purely destructive act or a new form of extortion.

Supply Chain Attack on Aqua Security’s Trivy

The Trivy vulnerability scanner compromise was a notable precursor. By injecting malware into official releases via GitHub Actions, TeamPCP demonstrated its ability to conduct supply chain attacks. Security firm Wiz confirmed that the malicious versions were designed to harvest sensitive credentials, including cloud provider keys and Kubernetes tokens. This attack showcased TeamPCP’s growing sophistication and willingness to target developer tools.

Conclusion and Implications

The CanisterWorm wiper attack marks a dangerous evolution for TeamPCP, moving from data theft and extortion to outright destruction. Organizations with cloud infrastructure, especially those serving Iranian customers or using Farsi language settings, should immediately review their security postures. The group’s use of automated exploitation of known misconfigurations underscores the critical importance of securing cloud APIs, Docker, and Kubernetes environments. As security researcher Assaf Morag of Flare noted, “TeamPCP does not rely on novel exploits but on the large-scale automation of well-known attack techniques.” This industrial approach makes them a persistent and adaptable threat.