A financially motivated cybercrime group has pivoted to geopolitical disruption, launching a sophisticated wiper worm that specifically targets systems in Iran. The malware, dubbed "CanisterWorm," autonomously spreads through misconfigured cloud services and destroys data on infected machines that are configured with Iran's time zone or have Farsi set as the default system language. This represents a significant escalation from the group's previous focus on data theft and extortion, marking a dangerous convergence of criminal tactics and targeted destructive attacks.
The campaign is attributed to a relatively new threat actor known as TeamPCP. According to cybersecurity experts, the wiper attack materialized over the past weekend. TeamPCP first gained notoriety in December 2025 for compromising corporate cloud environments using a self-propagating worm. This initial malware targeted exposed Docker APIs, Kubernetes clusters, Redis servers, and the known React2Shell vulnerability. The group's standard *modus operandi* involved lateral movement through victim networks to steal authentication credentials, followed by extortion demands communicated via Telegram.
Security firm Flare published a detailed profile of TeamPCP in January, highlighting their unique operational model. The group does not rely on novel zero-day exploits but instead weaponizes exposed cloud control planes on a massive scale. They achieve this through the large-scale automation and integration of well-known attack techniques, predominantly targeting cloud infrastructure over traditional endpoints. Their attacks are heavily focused on major cloud providers, with Azure (61%) and AWS (36%) accounting for 97% of all compromised servers in their campaigns. As Flare's analyst Assaf Morag noted, the group "industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform," effectively creating a self-propagating criminal ecosystem from exposed infrastructure.
In a related development that underscores the group's evolving capabilities, TeamPCP executed a software supply chain attack on March 19. They compromised the popular vulnerability scanner Trivy, developed by Aqua Security, by injecting credential-stealing malware into its official releases on GitHub Actions. While Aqua Security has confirmed the removal of the malicious files, researchers from security firm Wiz note that the attackers successfully leveraged this access to further their cloud intrusion campaigns. The emergence of the CanisterWorm wiper, combined with this supply chain compromise, signals that TeamPCP is rapidly expanding its toolkit from pure financial crime to include highly disruptive, politically aligned attacks, posing a complex threat to both corporate and national security infrastructures.
