Skip to content

TeamPCP Launches Wiper Attack on Iran Systems via CanisterWorm

Bottom line: TeamPCP leverages its established infrastructure for a geographically targeted wiper attack in which CanisterWorm deletes data on systems configured for Iran.

The cybercrime group TeamPCP is deploying targeted deletion malware against systems with Iranian timezone or Farsi-language settings for the first time. The attackers are distributing CanisterWorm via unsecured cloud services and have previously compromised Trivy vulnerability scanners from Aqua Security.

What happened: TeamPCP, a relatively new cybercrime group with profit motives, has launched wiper attacks against Iranian systems. The attacks began over the weekend and employ a self-propagating worm called CanisterWorm that spreads through poorly secured cloud services. The malware specifically targets systems with timezones set to Iran or Farsi as the default language, then deletes data.

Infrastructure and previous attacks: TeamPCP has been operating since December 2023 and specializes in cloud-native attacks. The group uses automated exploits against exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. According to security firm Flare (January analysis), TeamPCP focuses on compromising control planes rather than endpoints: 61 percent of infected servers ran on Azure, 36 percent on AWS. On March 19, TeamPCP conducted a supply chain attack on Aqua Security’s Trivy scanner, implanting credential stealers in the official GitHub Actions releases. In the process, the attackers obtained SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallet data.

Relevance for practitioners: Organizations with systems in Iran and cloud infrastructures should immediately check whether exposed Docker APIs, Kubernetes clusters, or Redis servers exist in their environments. TeamPCP demonstrates that established exploit infrastructure is flexibly repurposed—the Trivy malware was rebuilt on the same technical foundation into a geographically specific wiper campaign. The group’s automation and scalability show that security through simple patch cycles is insufficient; exposure management and network segmentation are critical.


Source: ainews-dev.lumi-systems.io · Published May 17, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.5.2.

Share on: