Iran-Targeting Wiper Worm Unleashed by Cybercrime Group TeamPCP in Cloud Assault

A financially motivated cybercrime group known as TeamPCP has launched a devastating wiper attack specifically targeting systems in Iran, deploying a self-propagating worm that destroys data on machines configured with Iran's time zone or Farsi as the default language. The attack, which materialized over the weekend, represents a significant escalation in the group's activities, moving from data theft and extortion to outright destruction.

Security researcher Charlie Eriksen of Aikido reported that the wiper component checks the victim's time zone and locale settings. 'If it detects that the victim is in Iran and has access to a Kubernetes cluster, it will destroy data on every node in that cluster,' Eriksen said. 'If it doesn't, it will just wipe the local machine.'

Background

TeamPCP, a relatively new cybercrime group, first emerged in December 2025. The group began compromising corporate cloud environments using a self-propagating worm that targeted exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. After gaining initial access, TeamPCP moved laterally through victim networks, stealing authentication credentials and extorting victims via Telegram.

According to a January profile by security firm Flare, TeamPCP primarily targets cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers. 'TeamPCP's strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,' wrote Flare's Assaf Morag. 'The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.'

On March 19, 2025, TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security, injecting credential-stealing malware into official releases on GitHub Actions. Aqua Security has since removed the harmful files, but security firm Wiz noted that the attackers published malicious versions that harvested SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. Over the weekend, the same technical infrastructure used in the Trivy attack was leveraged to deploy the new wiper payload.

Security firm Aikido has dubbed TeamPCP's infrastructure 'CanisterWorm' because the group orchestrates campaigns using an Internet Computer Protocol (ICP) canister—a system of tamper-proof, blockchain-based smart contracts that enable command-and-control without traditional server hosting.

What This Means

This attack marks a dangerous shift for TeamPCP, as it moves from financially motivated extortion to politically charged cyber destruction. By geofencing the wiper to Iran, the group appears to be intentionally injecting itself into geopolitical tensions, potentially escalating the cyber conflict in the region. The use of cloud-native exploitation techniques means that any organization with poorly secured cloud services—especially those using Docker, Kubernetes, or Redis—could be at risk of being used as a stepping stone for future campaigns.

The supply chain attack against Trivy demonstrates that even trusted security tools can be weaponized. Organizations must urgently review their cloud configurations, patch the React2Shell vulnerability, and monitor for signs of TeamPCP's worm. The self-propagating nature of CanisterWorm means that a single compromised cloud service could lead to widespread data destruction across entire clusters.