TeamPCP's CanisterWorm: A Cloud-Native Wiper Campaign Targets Iranian Systems

Introduction

A financially motivated cybercrime group has escalated its activities by deploying a destructive wiper worm that specifically targets systems configured with Iran's time zone or the Farsi language. This campaign, which emerged over the weekend of March 2025, represents a significant shift from data theft and extortion to outright data destruction. The group, known as TeamPCP, has been leveraging a self-propagating worm called CanisterWorm to infiltrate poorly secured cloud environments and wipe data on infected machines that match Iran's locale.

The Emergence of TeamPCP: A New Cybercrime Group

TeamPCP is a relatively new player in the cybercrime landscape, first observed in December 2024. The group initially focused on compromising corporate cloud environments by exploiting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Their modus operandi involved moving laterally through victim networks, stealing authentication credentials, and then extorting victims via Telegram. Security firm Flare profiled TeamPCP in January 2025, noting that the group's strength lies not in novel exploits but in the industrial-scale automation and integration of well-known attack techniques.

Attack Vectors and Lateral Movement

TeamPCP's initial access typically comes from scanning the internet for misconfigured cloud services. Once inside, they deploy a self-propagating worm that spreads to other vulnerable systems. The group then attempts to steal credentials from the compromised environment, enabling further lateral movement. This approach allows them to maximize the impact of their attacks while minimizing the need for custom malware. According to Flare's Assaf Morag, the group "industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem."

Cloud-Focused Infrastructure Exploitation

TeamPCP predominantly targets cloud infrastructure rather than end-user devices. According to Flare's January report, Azure accounts for 61% of compromised servers, Amazon Web Services (AWS) for 36%, together comprising 97% of the group's targets. The group weaponizes exposed control planes, such as unsecured APIs and management interfaces, rather than exploiting endpoint vulnerabilities. This cloud-centric strategy allows them to operate at scale, often compromising entire organizations through a single vulnerable entry point.

Supply Chain Compromise: The Trivy Incident

On March 19, 2025, TeamPCP executed a supply chain attack against Trivy, an open-source vulnerability scanner developed by Aqua Security. The attackers injected credential-stealing malware into official releases via GitHub Actions. Although Aqua Security promptly removed the malicious files, security firm Wiz noted that the attackers had successfully published versions that exfiltrated SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets from users. This incident demonstrated TeamPCP's ability to compromise trusted software supply chains, significantly amplifying the reach of their attacks.

CanisterWorm: The Iran-Targeted Wiper Attack

Over the weekend following the Trivy attack, TeamPCP leveraged the same technical infrastructure to deploy a new malicious payload that executes a wiper attack. Security researcher Charlie Eriksen from Aikido identified the payload as CanisterWorm, named after the group's use of Internet Computer Protocol (ICP) canisters—tamper-proof, blockchain-based smart contracts—to orchestrate their campaigns. The wiper component checks the victim's time zone and locale settings. If they correspond to Iran (Asia/Tehran time zone or Farsi language), the worm activates destructive routines.

How the Wiper Works

Once CanisterWorm determines that it is running on an Iranian system, it proceeds to wipe data. According to Eriksen, if the victim has access to a Kubernetes cluster, the worm destroys data on every node in that cluster. If no cluster is present, it wipes the local machine. This targeted approach suggests that TeamPCP is deliberately focusing on Iranian infrastructure, possibly as a result of geopolitical motivations or contractual obligations. The worm spreads through the same poorly secured cloud services that TeamPCP previously exploited for data theft.

Conclusion

TeamPCP's CanisterWorm campaign represents a dangerous evolution in cybercrime tactics, moving from financially motivated extortion to wiper attacks that cause irreversible damage. By targeting cloud infrastructure and leveraging automated exploitation, the group demonstrates a high level of operational sophistication. The supply chain compromise of Trivy further underscores the risks inherent in modern software dependencies. Organizations, particularly those in or related to Iran, should urgently review their cloud security posture, patch exposed services, and monitor for signs of CanisterWorm activity.