CanisterWorm Malware Targets Cloud Environments to Steal Secrets

Severity: High (Score: 66.6)

Sources: Cybersecuritynews, Gbhackers

Summary

TeamPCP, a financially motivated cybercrime group, is exploiting poorly secured cloud environments with a self-propagating malware called CanisterWorm. This malware targets exposed Docker APIs, Kubernetes clusters, and Redis servers, leveraging known vulnerabilities such as React2Shell to gain unauthorized access. The campaign has been active since late 2025 but escalated significantly over the past weekend, raising alarms within the cybersecurity community. Victims are at risk of credential theft and extortion. The scope of the impact is broad, affecting numerous organizations with insecure cloud configurations. Security experts are urging immediate action to secure these systems. Current status indicates ongoing exploitation and heightened alert among cybersecurity professionals. Key Points: • CanisterWorm exploits poorly secured Docker, Kubernetes, and Redis environments. • The malware uses known vulnerabilities like React2Shell for unauthorized access. • TeamPCP has escalated its activities significantly since late 2025.

Key Entities

• Malware (attack_type)
• Worm (attack_type)
• CanisterWorm (malware)
• React2Shell (malware)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• Docker (tool)
• Kubernetes (platform)
• Redis (platform)