CanisterWorm Springs Wiper Attack Targeting Iran Krebs on Security

pA financially motivated data theft and extortion group is attempting to inject itself into the Iran war unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Irans time zone or have Farsi set as the default languageppExperts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP In December 2025 the group began compromising corporate cloud environments using a selfpropagating worm that went after exposed Docker APIs Kubernetes clusters Redis servers and the React2Shell vulnerability TeamPCP then attempted to move laterally through victim networks siphoning authentication credentials and extorting victims over TelegramppA snippet of the malicious CanisterWorm that seeks out and destroys data on systems that match Irans timezone or have Farsi as the default language Image AikidodevppIn a profile of TeamPCP published in January the security firm Flare said the group weaponizes exposed control planes rather than exploiting endpoints predominantly targeting cloud infrastructure over enduser devices with Azure 61 and AWS 36 accounting for 97 of compromised serversppTeamPCPs strength does not come from novel exploits or original malware but from the largescale automation and integration of wellknown attack techniques Flares Assaf Morag wrote The group industrializes existing vulnerabilities misconfigurations and recycled tooling into a cloudnative exploitation platform that turns exposed infrastructure into a selfpropagating criminal ecosystemppOn March 19 TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security injecting credentialstealing malware into official releases on GitHub actions Aqua Security said it has since removed the harmful files but the security firm Wiz notes the attackers were able to publish malicious versions that snarfed SSH keys cloud credentials Kubernetes tokens and cryptocurrency wallets from usersppOver the weekend the same technical infrastructure TeamPCP used in the Trivy attack was leveraged to deploy a new malicious payload which executes a wiper attack if the users timezone and locale are determined to correspond to Iran said Charlie Eriksen a security researcher at Aikido In a blog post published on Sunday Eriksen said if the wiper component detects that the victim is in Iran and has access to a Kubernetes cluster it will destroy data on every node in that clusterppIf it doesnt it will just wipe the local machine Eriksen told KrebsOnSecurityppImage AikidodevppAikido refers to TeamPCPs infrastructure as CanisterWorm because the group orchestrates their campaigns using an Internet Computer Protocol ICP canister a system of tamperproof blockchainbased smart contracts that combine both code and data ICP canisters can serve Web content directly to visitors and their distributed architecture makes them resistant to takedown attempts These canisters will remain reachable so long as their operators continue to pay virtual currency fees to keep them onlineppEriksen said the people behind TeamPCP are bragging about their exploits in a group on Telegram and claim to have used the worm to steal vast amounts of sensitive data from major companies including a large multinational pharmaceutical firmppWhen they compromised Aqua a second time they took a lot of GitHub accounts and started spamming these with junk messages Eriksen said It was almost like they were just showing off how much access they had Clearly they have an entire stash of these credentials and what weve seen so far is probably a small sample of what they haveppSecurity experts say the spammed GitHub messages could be a way for TeamPCP to ensure that any code packages tainted with their malware will remain prominent in GitHub searches In a newsletter published today titled GitHub is Starting to Have a Real Malware Problem Risky Business reporter Catalin Cimpanu writes that attackers often are seen pushing meaningless commits to their repos or using online services that sell GitHub stars and likes to keep malicious packages at the top of the GitHub search pageppThis weekends outbreak is the second major supply chain attack involving Trivy in as many months At the end of February Trivy was hit as part of an automated threat called HackerBotClaw which mass exploited misconfigured workflows in GitHub Actions to steal authentication tokensppEriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekends mischief But he said there is no reliable way to tell whether TeamPCPs wiper actually succeeded in trashing any data from victim systems and that the malicious payload was only active for a short time over the weekendppTheyve been taking the malicious code up and down rapidly changing it adding new features Eriksen said noting that when the malicious canister wasnt serving up malware downloads it was pointing visitors to a Rick Roll video on YouTubeppIts a little all over the place and theres a chance this whole Iran thing is just their way of getting attention Eriksen said I feel like these people are really playing this Chaotic Evil role hereppCimpanu observed that supply chain attacks have increased in frequency of late as threat actors begin to grasp just how efficient they can be and his post documents an alarming number of these incidents since 2024ppWhile security firms appear to be doing a good job spotting this were also gonna need GitHubs security team to step up Cimpanu wrote Unfortunately on a platform designed to copy fork a project and create new versions of it clones spotting malicious additions to clones of legitimate repos might be quite the engineering problem to fixppUpdate 240 pm ET Wiz is reporting that TeamPCP also pushed credential stealing malware to the KICS vulnerability scanner from Checkmarx and that the scanners GitHub Action was compromised between 1258 and 1650 UTC today March 23rdpp
This entry was posted on Monday 23rd of March 2026 1143 AM
ppInterestingly after the huge demonstrations a couple months ago Iran shut down most of the Internet Sorta kills the effect on Iranians of this attackppThe world would be a more stable place if the orange mental one hadnt been coaxed into a Middle East war by IsraelppIm the President of Peace and will start no new wars Then jumping back to 2011 he outed the facts about himself The President will start a war with Iran to cover his crimes and because hes a terrible negotiator ppOne of these days one of these days ppIm the President of Peace
I will start no new wars
And If you dont believe me
Ill have ICE deport you to ZanzibarppIm bored lets go play golf and forget our war of choice troublesppkeep coping buddyppThis is a global problem now Dont be a moron buddyppchaotic evil is a perfect description my heart goes out to this person whoever they are u r da real revolutionaryppinteresting analysis on this wiper attack its fascinating how threat actors are increasingly tailoring malware to specific geographic targets based on system locale settingsppThats been going on since 2008 easilyppTrue but theres no need to be dicks about it right Or do we need to be dicks about itppSo when exactly did this start You say 2008 based on what Lets see itppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp

ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap