216.73.217.80

CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran

· Published 24/03/2026 11:50 · Modified 27/03/2026 00:05

Export JSON

Essential information

Published
24/03/2026 11:50
Modified
27/03/2026 00:05
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
canisterworm daemonset docker api kubernetes wiper
Tags
2026-03-24 canisterworm daemonset docker api kubernetes wiper
Related entities
7 indicators, 7 observables, 1 intrusion sets (apt), 19 techniques (mitre), 1 malware, 5 others

Description

A new payload in the TeamPCP arsenal has been discovered, capable of wiping entire clusters. The script uses the same ICP canister as the campaign, with consistent lateral movement via DaemonSets. However, this variant introduces a geopolitically targeted destructive payload aimed specifically at Iranian systems. The malware checks timezone and locale to identify Iranian systems, deploying privileged DaemonSets across every node in environments. Iranian nodes are wiped and force-rebooted, while non-Iranian nodes receive the backdoor. The latest variant adds network-based lateral movement, exploiting exposed Docker APIs and using SSH for spread. This development shows TeamPCP's ability to operate at supply chain scale and their willingness to engage in destructive actions.

External references