The cybercrime group TeamPCP has added a destructive wiper component to their cloud-native attack infrastructure, specifically targeting systems in Iran based on timezone and language settings.
From Data Theft to Destruction
Security researcher Charlie Eriksen at Aikido discovered that TeamPCP deployed the wiper payload over the weekend, leveraging the same technical infrastructure used in their recent supply chain attack against Trivy, the popular vulnerability scanner from Aqua Security.
The malicious payload, dubbed “CanisterWorm,” checks whether the victim’s timezone corresponds to Iran and whether Farsi is set as the default language. If these conditions are met and the system has access to a Kubernetes cluster, the wiper destroys data on every node in that cluster. Systems without Kubernetes access are simply wiped locally.
Blockchain-Based Command Infrastructure
TeamPCP operates their campaign infrastructure using Internet Computer Protocol (ICP) canisters—tamperproof, blockchain-based smart contracts that combine code and data. These canisters can serve web content directly and their distributed architecture makes them highly resistant to takedown attempts, remaining operational as long as operators pay virtual currency fees.
Pattern of Cloud-Native Attacks
According to research from Flare published in January, TeamPCP has been compromising corporate cloud environments since December 2025 using a self-propagating worm targeting:
- Exposed Docker APIs
- Kubernetes clusters
- Redis servers
- React2Shell vulnerabilities
The group predominantly targets cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.
Supply Chain Attack Expansion
Wiz is reporting that TeamPCP has also pushed credential-stealing malware to the KICS vulnerability scanner from Checkmarx, with the scanner’s GitHub Action compromised on March 23rd.
This represents the second major supply chain attack involving Trivy in as many months, following the HackerBot-Claw campaign in February that mass-exploited misconfigured GitHub Actions workflows.
Chaos as a Strategy
Eriksen noted the group’s erratic behavior, rapidly taking malicious code up and down while adding new features. When not serving malware, the canister redirected visitors to a Rick Roll video on YouTube. “It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen told Krebs on Security. “I feel like these people are really playing this Chaotic Evil role here.”
Implications
While the actual damage from the wiper remains unconfirmed—the payload was only active briefly—this attack demonstrates how cybercriminal groups can quickly pivot to destructive operations targeting specific nations. Organizations using cloud infrastructure should audit their Docker API exposure, Kubernetes cluster security, and GitHub Actions configurations.
