TeamPCP Cybercrime Group Deploys CanisterWorm Wiper Targeting Iran in Escalating Cloud Cyberwar

A financially motivated cybercrime group called TeamPCP has deployed a new wiper worm called CanisterWorm that selectively destroys data on systems matching Iran's timezone or using Farsi as the default language.

The Attack

CanisterWorm spreads through poorly secured cloud services:

• Targets: Exposed Docker APIs, Kubernetes clusters, Redis servers
• Trigger: Detects Iran timezone or Farsi locale
• Kubernetes escalation: If it detects cluster access, it destroys data on every node
• Fallback: Wipes the local machine if no cluster access found

TeamPCP Profile

Identified by security firm Flare in January 2026:

• Model: Cloud-native exploitation platform
• Cloud targets: Azure (61%), AWS (36%) = 97% of compromised servers
• Innovation: Not novel exploits, but industrial-scale automation of known vulnerabilities
• Monetization: Credential theft + Telegram-based extortion

Supply Chain Attack: Trivy Compromise

On March 19, 2026, TeamPCP executed a supply chain attack against Aqua Security's Trivy vulnerability scanner:

• Vector: Injected credential-stealing malware into GitHub Actions releases
• Stolen data: SSH keys, cloud credentials, Kubernetes tokens, crypto wallets
• Remediation: Aqua Security removed malicious files, but damage window was open

Implications

This represents a new era where financially motivated cybercriminals inject themselves into geopolitical conflicts. The targeting is automated — any cloud infrastructure matching Iranian settings gets wiped, regardless of the victim's actual nationality.

Security researcher Charlie Eriksen of Aikido published the detailed analysis.