In a dramatic escalation of cyber conflict, a financially motivated extortion group known as TeamPCP has launched a devastating wiper campaign specifically targeting Iranian infrastructure. The self-propagating worm, dubbed CanisterWorm, exploits insecure cloud services and wipes data on any system that detects Iran's time zone or Farsi as the default language. This article breaks down the ten key elements you need to understand about this sophisticated attack.
1. The Emergence of TeamPCP
TeamPCP is a relatively new cybercrime group that first came to light in late 2025. Unlike traditional ransomware gangs, this group focuses on data theft and extortion, leveraging cloud-native exploitation at industrial scale. Security firm Flare described their approach as leveraging exposed control planes rather than exploiting endpoints, showing a strategic shift toward cloud infrastructure. The group's operations are highly automated, combining recycled tools with well-known vulnerabilities to create a self-propagating criminal ecosystem.
2. How CanisterWorm Spreads
The worm spreads through poorly secured cloud environments, specifically targeting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP does not rely on zero-day exploits; instead, it industrializes existing misconfigurations and vulnerabilities. Once inside a network, the worm moves laterally, siphoning authentication credentials and setting the stage for data destruction. This propagation method allows the group to compromise multiple organizations rapidly without needing sophisticated tools.
3. The Targeting Criterion: Iran's Time Zone and Farsi
The wiper component of CanisterWorm is highly selective: it activates only if the infected system's time zone matches Iran's (UTC+3:30) or if the default language is set to Farsi. This geographical targeting suggests the attackers intend to disrupt Iranian infrastructure specifically. Security researcher Charlie Eriksen of Aikido noted that if the wiper detects a Kubernetes cluster in Iran, it will destroy data on every node. Otherwise, it wipes the local machine. This precision targeting makes the attack both unique and particularly dangerous for Iranian organizations.
4. The Blockchain-Based Command Infrastructure
Aikido named the worm “CanisterWorm” because TeamPCP orchestrates campaigns using an Internet Computer Protocol (ICP) canister—a tamperproof, blockchain-based smart contract system. This decentralized infrastructure makes it extremely difficult for law enforcement or security researchers to take down the command-and-control servers. The canisters are used to distribute payloads and update configurations, providing resilience against takedown attempts. This innovative use of blockchain for cybercrime marks a notable evolution in attack infrastructure.
5. The December 2025 Campaign Beginning
TeamPCP began compromising corporate cloud environments in December 2025, using the self-propagating worm to gain initial access. The group then attempted to move laterally through victim networks, stealing credentials and extorting victims over Telegram. The campaign has been ongoing for several months, with the wiper attack representing a major escalation. The December start aligns with the group's profile as a relatively new but aggressive threat actor.
6. The Supply Chain Attack on Trivy
On March 19, 2025, TeamPCP executed a supply chain attack against Aqua Security's Trivy vulnerability scanner. They injected credential-stealing malware into official releases on GitHub Actions. Aqua Security removed the harmful files, but security firm Wiz reported that the attackers published malicious versions that stole SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. This attack demonstrated the group's ability to compromise trusted software distribution channels and their focus on stealing cloud credentials.
7. The Wiper Deployment Over the Weekend
Over the weekend following the Trivy attack, TeamPCP leveraged the same technical infrastructure used in that supply chain attack to deploy the wiper payload. According to Charlie Eriksen, the wiper was distributed via the same ICP canister system. This rapid reuse of infrastructure highlights the group's operational agility and ability to pivot from data theft to data destruction within days. The wiper attack materialized suddenly, catching many defenders off guard.
8. Lateral Movement and Data Theft
Beyond the wiper, TeamPCP is known for moving laterally through victim networks after initial compromise. They steal authentication credentials and then extort victims over Telegram, threatening to leak stolen data if ransoms are not paid. This dual extortion approach—combining data theft with the threat of data destruction—makes them particularly dangerous. The lateral movement often targets cloud control planes rather than endpoints, allowing widespread access with minimal endpoint visibility.
9. Widespread Impact on Cloud Infrastructure
If a victim is located in Iran and has access to a Kubernetes cluster, the wiper destroys data on every node in that cluster. For victims outside Iran or without a Kubernetes cluster, the local machine is wiped. This broad destructive capability could cripple entire cloud deployments, making recovery extremely difficult. The focus on cloud infrastructure means that even organizations with good endpoint security could be vulnerable if their cloud services are misconfigured.
10. Cloud Provider Targeting: Azure and AWS Dominate
According to Flare's profile, Azure accounts for 61% of compromised servers, and AWS for 36%, totaling 97% of all compromised cloud servers. This heavy focus on the two largest cloud providers suggests that TeamPCP has specialized tools or scripts for these environments. Organizations using Azure or AWS should audit their exposed ports, especially Docker APIs and Kubernetes control planes, and ensure that no cloud credentials are leaked in public repositories.
In conclusion, the CanisterWorm wiper attack represents a concerning evolution in financially motivated cybercrime, combining blockchain-based command infrastructure with precise geographical targeting. Organizations—especially those with cloud deployments in Iran or using Farsi—should immediately review their cloud security posture, patch exposed services, and monitor for signs of worm propagation. TeamPCP's ability to rapidly pivot from credential theft to data destruction makes them a formidable threat that requires proactive defense.