7 Critical Facts About the CanisterWorm Wiper Attack Targeting Iran
In a troubling escalation of cyber warfare, a financially motivated group known as TeamPCP has launched a wiper campaign specifically targeting Iranian infrastructure. Dubbed 'CanisterWorm' by researchers, this self-propagating worm exploits cloud misconfigurations, steals credentials, and wipes data on systems with Iranian time zone or Farsi language settings. Below are seven key facts you need to understand about this attack.
1. The Threat Actor: TeamPCP's Emergence
TeamPCP is a relatively new cybercrime group that first gained attention in December 2025. Unlike traditional ransomware gangs, TeamPCP focuses on data theft and extortion, leveraging cloud environments as their primary battlefield. Their operations are highly automated, recycling known vulnerabilities and misconfigurations rather than developing novel exploits. Security firm Flare described their approach as an "industrialized exploitation platform" that turns exposed infrastructure into a self-propagating criminal ecosystem. The group's initial attacks involved compromising corporate cloud systems, stealing credentials, and extorting victims via Telegram. The CanisterWorm wiper represents a dangerous pivot from pure financial gain to politically charged destruction.
2. Infection Vector: Exploiting Exposed Cloud Services
The worm spreads through poorly secured cloud services, specifically targeting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP scans for these misconfigurations at scale, then uses the worm to move laterally across victim networks. This approach allows them to compromise multiple systems without exploiting end-user devices. The group's strength lies in automating reconnaissance and propagation, making it difficult for defenders to contain the spread. Once inside, the worm steals authentication credentials and establishes persistence, paving the way for data exfiltration or destruction.
3. Primary Targets: Cloud Infrastructure Dominated by Azure and AWS
According to Flare's January 2026 profile, TeamPCP predominantly targets cloud infrastructure rather than on-premises systems. Azure accounts for 61% of compromised servers, while AWS represents 36%—together covering 97% of their victims. This focus on cloud control planes over endpoints allows the group to access vast amounts of data and leverage cloud-native tools for lateral movement. The attackers weaponize control planes by exploiting misconfigured access keys, overly permissive roles, and unpatched vulnerabilities. For defenders, this means securing cloud environments is critical to preventing CanisterWorm infections.
4. The Supply Chain Attack on Trivy
On March 19, 2026, TeamPCP executed a supply chain attack against Aqua Security's vulnerability scanner Trivy. They injected credential-stealing malware into official GitHub Actions releases, compromising the build pipeline. The malicious versions captured SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets from users who downloaded the infected software. Aqua Security has since removed the harmful files, but the incident demonstrates the group's ability to compromise trusted tools. Security firm Wiz confirmed that the attackers leveraged the same infrastructure used in the Trivy incident to deploy the CanisterWorm wiper payload days later.
5. The Wiper's Trigger: Iranian Time Zone or Farsi Language
The wiper component of CanisterWorm is designed with a specific geographic trigger. When executed, the malware checks the victim system's time zone and default language. If the time zone matches Iran's (UTC+3:30) or the language is set to Farsi, the wiper activates. On systems with access to Kubernetes clusters, it destroys data on every node in that cluster. If no cluster is available, it wipes the local machine entirely. This targeted destruction strongly suggests a political motive, potentially aiming to disrupt Iranian infrastructure or send a message. Researcher Charlie Eriksen of Aikido confirmed that the wiper only triggers for victims meeting these criteria.
6. CanisterWorm's Unique Infrastructure: Blockchain-Based Canisters
Aikido named the malware 'CanisterWorm' because TeamPCP orchestrates its campaigns using an Internet Computer Protocol (ICP) canister—a tamperproof, blockchain-based smart contract system. This decentralized infrastructure makes the command-and-control (C2) channels resistant to takedown. The canister stores configuration data, including targeted vulnerabilities and payload delivery instructions. By leveraging blockchain, the group ensures that even if traditional servers are seized, the worm can continue to propagate and receive updates. This innovative use of technology marks a shift toward more resilient cybercriminal operations.
7. Implications and Response: A New Era of Hybrid Cybercrime
The CanisterWorm attack blurs the line between financially motivated cybercrime and geopolitical warfare. While TeamPCP initially focused on extortion, the wiper element introduces destructive capabilities that could escalate conflicts. Security experts urge organizations to secure cloud configurations, patch vulnerabilities like React2Shell, and monitor for unusual lateral movement. Companies should also implement strict controls on exposed APIs and container orchestrators. The use of blockchain-based C2 poses new challenges for law enforcement and defenders, requiring novel detection strategies. As TeamPCP continues to evolve, the cybersecurity community must remain vigilant against this hybrid threat.
In conclusion, the CanisterWorm attack demonstrates how cybercriminal groups can rapidly pivot from data theft to targeted destruction. With its automated spread, cloud focus, and specific geographic targeting, this campaign serves as a stark reminder of the increasing complexity of modern cyber threats. Organizations must adopt a proactive security posture, including regular audits of cloud configurations, monitoring for supply chain compromises, and preparing for wiper attacks that may not demand ransom. The era of hybrid cybercrime has arrived, and CanisterWorm is just the beginning.