CanisterWorm Wiper Attack: How a Cybercrime Group Targets Iranian Infrastructure

Introduction

A financially motivated cybercrime group has stirred controversy by launching a destructive wiper campaign specifically targeting Iranian systems. The attack, carried out by a relatively new but highly automated group known as TeamPCP, uses a self-propagating worm—dubbed CanisterWorm—that spreads through poorly secured cloud services and wipes data on any infected device that uses Iran's time zone or has Farsi set as the default language. This tactic marks a notable escalation from the group's usual data theft and extortion operations.

Background on TeamPCP

TeamPCP emerged on the cybercrime scene in late 2025, quickly gaining notoriety for its high-volume, automated attacks against cloud infrastructure. The group does not rely on novel exploits or custom malware; instead, it weaponizes well-known vulnerabilities and misconfigurations at scale. According to security firm Flare, TeamPCP excels at turning exposed cloud control planes into a self-propagating criminal ecosystem. Their primary targets have been cloud environments, with Azure accounting for 61% of compromised servers and AWS for 36%.

How CanisterWorm Works

Researchers at Aikido have named the group's attack infrastructure CanisterWorm because of its use of Internet Computer Protocol (ICP) canisters—tamperproof, blockchain-based smart contracts. These canisters orchestrate the worm's spread and payload delivery. The worm initially seeks out exposed Docker APIs, Kubernetes clusters, Redis servers, and systems vulnerable to the React2Shell vulnerability. Once inside, it moves laterally across the network, stealing authentication credentials and extorting victims over Telegram.

The key distinguishing feature of the latest campaign is a wiper component that checks the victim's timezone and locale. If the system is set to Iran's time zone or Farsi as the default language, the wiper activates. For victims with access to a Kubernetes cluster, it destroys data on every node in that cluster. If not, it wipes the local machine. This conditional logic allows the attackers to avoid collateral damage outside their intended target.

Targeting Iran: A Shift in Tactics

Experts first detected the wiper campaign on the weekend of March 19, 2026. It represents a shift for TeamPCP, which previously focused on data theft and extortion. The decision to target Iran specifically has raised eyebrows, as the group appears to be injecting itself into geopolitical tensions. However, no clear political motive has been confirmed; some analysts suggest the attackers may be trying to attract attention or sell their services to state actors.

Connection to the Trivy Supply Chain Attack

TeamPCP's technical infrastructure was also used in a separate supply chain attack against Aqua Security's Trivy vulnerability scanner on March 19. In that incident, the attackers injected credential-stealing malware into official GitHub releases of Trivy. The malicious versions were designed to steal SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets from users. Aqua Security has since removed the harmful files, but Wiz researchers noted that the attackers successfully published compromised versions that users may have downloaded.

Security researcher Charlie Eriksen of Aikido observed that the same infrastructure deployed for the Trivy attack was reused for the wiper campaign. This reuse underscores the group's operational efficiency and its ability to pivot between different types of cybercrime.

How Organizations Can Protect Themselves

To defend against CanisterWorm and similar threats, organizations should:

• Secure cloud APIs and management interfaces with strong authentication and network segmentation.
• Regularly scan for misconfigurations in Docker, Kubernetes, and Redis deployments.
• Apply patches for known vulnerabilities like React2Shell immediately.
• Monitor for unauthorized access to cloud environments and unusual lateral movement.
• Implement multi-factor authentication and least-privilege access for cloud resources.

Conclusion

The CanisterWorm wiper attack is a stark reminder that financially motivated cybercrime groups can easily adapt their tools to target specific nations. TeamPCP's use of automated, large-scale exploitation techniques combined with blockchain-based infrastructure makes them a persistent threat. While the group's motives remain unclear, the targeting of Iran could signal a new trend where criminal groups insert themselves into geopolitical conflicts. Organizations worldwide, especially those with cloud infrastructure, should review their security posture to prevent falling victim to such attacks.