Bleepingcomputer
TeamPCP's CanisterWorm Targets Iranian Systems with Destructive Kubernetes Wiper
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
TeamPCP has launched a new cyber campaign deploying a destructive payload that targets Kubernetes clusters configured for Iran. This wiper malware, part of the ongoing CanisterWorm campaign, uses the same command-and-control infrastructure as previous attacks, specifically the ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io). When the malware detects an Iranian configuration, it deploys a DaemonSet named 'host-provisioner-iran' that wipes the host's filesystem and forces a reboot. For non-Iranian targets, it installs a backdoor instead. The attack is notable for its geopolitical targeting, marking a shift from credential theft to outright destruction. The malware also affects non-Kubernetes systems by attempting to delete user files. This campaign is an evolution of TeamPCP's tactics, indicating a growing threat to cloud-native environments. Current assessments highlight the urgency of addressing this threat due to its destructive capabilities.
Key Points: • TeamPCP's new payload wipes Kubernetes clusters configured for Iran. • The malware uses the same C2 infrastructure as previous CanisterWorm attacks. • Destructive actions include deleting host files and rebooting systems.