.svg){kind=spacer}
May 9, 2026
The article reports that a financially motivated cybercrime group known as TeamPCP has launched a destructive campaign aimed specifically at systems associated with Iran, using a worm that spreads through poorly secured cloud infrastructure and then deploys a wiper payload under certain regional conditions. According to Krebs, the malware checks whether a target system uses Iran’s time zone or has Farsi configured as the default language; if so, it attempts to erase data, and if it finds access to a Kubernetes cluster it can wipe data across every node in that cluster. The piece explains that TeamPCP had already been active since late 2025, exploiting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability to move laterally, steal credentials, and extort victims. Krebs presents the Iran-focused wiper as a new escalation layered on top of an already aggressive cloud-centric criminal operation.
The article also emphasizes the unusual infrastructure and chaotic behavior behind the campaign. Security researchers cited by Krebs say TeamPCP used the same infrastructure that had recently been involved in a supply chain attack on Aqua Security’s Trivy scanner, where malicious code was inserted into official GitHub Actions releases to steal SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets. Aikido dubbed the broader infrastructure “CanisterWorm” because the attackers orchestrated it through an Internet Computer Protocol (ICP) canister, a blockchain-based hosting mechanism that is resistant to takedown. Krebs notes that researchers are not yet certain whether the Iran-targeted wiping actually caused lasting damage, partly because the malicious payload appeared only briefly and was repeatedly changed, sometimes even redirecting visitors to a prank video. The overall impression is of a threat actor that combines real technical danger with erratic, attention-seeking behavior, making it difficult to tell where criminal extortion ends and political theater begins.
Source: https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/
