As TeamPCP sends out an Iran-focused Kubernetes Wiper, CanisterWorm becomes destructive.

TeamPCP, a group of hackers, has gone from stealing credentials or installing backdoors to something much worse with a new payload This article explores teampcp group hackers. . Since late 2025, the group has been known as a cloud-native attacker.

They have used a Kubernetes wiper that specifically targets systems set up for Iran. This is a clear and serious escalation in the campaign's goals and reach. Learn more about how to respond to a cyberattack. Antivirus and malware firewall software TeamPCP first got attention for taking advantage of incorrectly set up Docker APIs, Kubernetes clusters, and CI/CD pipelines.

In their earlier campaigns, they focused on persistence by planting backdoors and stealing access credentials without anyone knowing. This new payload changes everything.

Look for systemd services called internal-monitor or pgmonitor, files in /var/lib/pgmon/pgmon.py, and pglog processes in /tmp/. Block connections to icp0[. ]io domains.

Make sure that Docker API access on port 2375 is closed and never open without authentication. Also, change the SSH keys on any host that might have been compromised. Check the SSH authentication logs carefully for any signs of unusual lateral movement. Set ZeroOwl as your preferred source in Google to get more instant updates on Facebook, LinkedIn, and X.