TeamPCP Deploys 'CanisterWorm' Wiper' Worm Targeting Iranian Systems via Cloud Exploits
The cybercrime group TeamPCP has unleashed a self-propagating wiper worm, dubbed CanisterWorm, that destroys data on systems matching Iran's timezone or Farsi locale, spreading through exposed Docker APIs, exposed Docker APIs, Kubernetes clusters, and Redis servers.
A financially motivated data theft and extortion group known as TeamPCP has injected itself into the geopolitical landscape by deploying a wiper worm that specifically targets systems in Iran. The worm, dubbed CanisterWorm by researchers at Aikido, checks the victim's timezone and locale settings and, if they correspond to Iran, proceeds to wipe data on the local machine or, if Kubernetes access is available, every node in the cluster. The campaign materialized over the weekend of March 21-22, 2026, leveraging the same infrastructure TeamPCP used in a recent supply-chain attack against Aqua Security's Trivy vulnerability scanner.
TeamPCP's worm spreads by exploiting poorly secured cloud services, including exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Once inside a network, the worm attempts lateral movement, stealing authentication credentials and extorting victims over Telegram. According to a January profile by security firm Flare, TeamPCP weaponizes exposed control planes rather than endpoints, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers. "TeamPCP's strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques," wrote Flare's Assaf Morag.
The group orchestrates its campaigns using an Internet Computer Protocol (ICP) canister — a blockchain-based smart contract system that is tamperproof and resistant to takedown. These canisters serve malicious payloads directly to visitors and remain reachable as long as operators pay virtual currency fees. Aikido researcher Charlie Eriksen noted that the canister was rapidly modified over the weekend, sometimes redirecting to a Rick Roll video when not serving malware. "It's a little all over the place, and there, and there's a chance this whole Iran thing is just their way of getting attention," Eriksen told KrebsOnSecurity.
TeamPCP's recent activity includes a supply-chain attack on March 19 against Aqua Security's Trivy scanner, where credential-stealing malware was injected into official GitHub releases. Security firm Wiz reported that the malicious versions stole SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. Eriksen said it appears TeamPCP used access from that first attack to perpetrate the wiper campaign. The group has been bragging on Telegram about stealing vast amounts of sensitive data from major companies, including a large multinational pharmaceutical firm.
The wiper payload was only active for a short time over the weekend, and there is no reliable way to confirm whether it actually destroyed data on victim systems. However, the incident marks the second major supply-chain attack involving Trivy in as many months, following a February attack by the automated threat HackerBot-Claw. Security experts warn that supply-chain attacks are increasing in frequency as threat actors realize their efficiency. "While security firms appear to be doing a good job spotting this, we're also gonna need GitHub's security team to step up," wrote Risky Business reporter Catalin Cimpanu.
The broader context is a worrying trend of cybercriminal groups adopting wiper malware — traditionally the domain of nation-state actors — for extortion and targeting geopolitical adversaries. TeamPCP's use of blockchain-based infrastructure for command and control represents an evolution in takedown-resistant operations. As Eriksen noted, the group appears to be playing a "Chaotic Evil" role, mixing extortion, supply-chain compromise, data theft, and now wiper attacks in a volatile campaign that security teams will need to monitor closely.