TeamPCP's CanisterWorm Targets Iranian Systems with Destructive Kubernetes Wiper

TeamPCP's CanisterWorm Targets Iranian Systems with Destructive Kubernetes Wiper

First seen 23 Mar 2026, 20:30 UTC Aikido.DevBleepingcomputerGbhackersCybersecuritynews 86% similarity 78.0

Article Content

Browse articles
ThreatCluster

TeamPCP has launched a new cyber campaign deploying a destructive payload that targets Kubernetes clusters configured for Iran. This wiper malware, part of the ongoing CanisterWorm campaign, uses the same command-and-control infrastructure as previous attacks, specifically the ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io). When the malware detects an Iranian configuration, it deploys a DaemonSet named 'host-provisioner-iran' that wipes the host's filesystem and forces a reboot. For non-Iranian targets, it installs a backdoor instead. The attack is notable for its geopolitical targeting, marking a shift from credential theft to outright destruction. The malware also affects non-Kubernetes systems by attempting to delete user files. This campaign is an evolution of TeamPCP's tactics, indicating a growing threat to cloud-native environments. Current assessments highlight the urgency of addressing this threat due to its destructive capabilities.

Key Points: • TeamPCP's new payload wipes Kubernetes clusters configured for Iran. • The malware uses the same C2 infrastructure as previous CanisterWorm attacks. • Destructive actions include deleting host files and rebooting systems.

ThreatCluster AI

Timeline

2025-03-20
CanisterWorm campaign initiated by TeamPCP.
2026-03-22
Aikido.Dev reports on the new destructive payload.
2026-03-23
Bleepingcomputer publishes details on TeamPCP's targeting.
2026-03-24
Gbhackers and Cybersecuritynews report on the ongoing threat.

Community

Browse all →