A financially motivated cybercrime group has launched a wiper attack specifically targeting systems in Iran, deploying a self-propagating worm that destroys data on machines configured with Iran's time zone or Farsi language settings, according to security researchers.
The attack, which materialized over the weekend, originates from a relatively new group known as TeamPCP. Experts say the worm, dubbed 'CanisterWorm' by researchers at Aikido, spreads through poorly secured cloud services including exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability.
Critical Details
Charlie Eriksen, a security researcher at Aikido, confirmed the wiper component triggers only when the victim's timezone and locale match Iran. 'If the wiper detects the victim is in Iran and has access to a Kubernetes cluster, it will destroy data on every node in that cluster. If not, it will just wipe the local machine,' Eriksen said.
TeamPCP has been active since December 2025, primarily targeting cloud infrastructure. Security firm Flare described the group's approach in a January profile: 'TeamPCP's strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,' wrote Flare's Assaf Morag.
Background
The group's modus operandi involves compromising corporate cloud environments using a self-propagating worm. Once inside, they move laterally, siphoning authentication credentials and extorting victims via Telegram. According to Flare, Azure (61%) and AWS (36%) account for 97% of compromised servers.
On March 19, TeamPCP executed a supply chain attack against Aqua Security's Trivy vulnerability scanner, injecting credential-stealing malware into official GitHub releases. Aqua has since removed the harmful files, but security firm Wiz noted that attackers published malicious versions that snatched SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets.
Technical Infrastructure
Aikido's name 'CanisterWorm' derives from the group's use of an Internet Computer Protocol (ICP) canister—a blockchain-based smart contract system—to orchestrate campaigns. This tamperproof infrastructure was leveraged over the weekend to deploy the Iran-specific wiper payload.
What This Means
This incident marks a dangerous escalation where cybercriminal extortion tactics are being weaponized with geopolitical targeting. The wiper's deliberate targeting of Iranian systems suggests the group is attempting to inject itself into ongoing regional tensions, potentially causing widespread data loss and operational disruption.
For cloud security practitioners, this attack underscores the urgent need to secure exposed APIs, Kubernetes clusters, and Docker environments. TeamPCP's industrial-scale automation of known vulnerabilities demonstrates that even without novel exploits, attackers can cause significant damage by exploiting misconfigurations.
The supply chain attack on Trivy further highlights risks in the software development pipeline. Organizations should review their use of third-party tools and ensure strict integrity checks on downloaded artifacts.
As geopolitical conflicts increasingly intersect with cybercrime, the 'CanisterWorm' incident serves as a stark reminder that financially motivated groups may align with state-level objectives, blurring the lines between crime and sabotage.