Since late 2025, a group of cybercriminals with money on their minds has been quietly breaking into cloud environments This article explores security company azure. . TeamPCP is the name of the group that runs CanisterWorm, a self-propagating worm that looks for poorly protected Docker APIs, Kubernetes clusters, Redis servers, and systems that are vulnerable to the React2Shell flaw.

Once inside, the worm moves sideways through victim networks, stealing login information and blackmailing businesses through Telegram. The campaign is widespread and affects businesses that run cloud workloads on both Azure and AWS. Flare, a security company, found that Azure accounts for about 61% of all compromised servers and AWS accounts for another 36%, making up 97% of all affected infrastructure. The same infrastructure that was used for these data theft campaigns was later used to launch a targeted wiper attack on systems linked to Iran.

This geographic targeting is a big change in threat design. It shows that groups that are motivated by money are using geo-specific logic to go after both political and financial goals. If your company uses Docker, Kubernetes, or Redis in the cloud, you should check your settings right away for APIs that are open to the public and access points that don't require authentication.

If Trivy or KICS was used in CI/CD pipelines between March 19 and 23, 2026, teams should change their SSH keys, cloud credentials, and KuberNETes tokens on a regular basis. It is highly recommended to keep an eye on containers for lateral movement and behavior based on location. Owners of GitHub repositories should also check their Actions workflows for changes that weren't made by them and make sure that access to cloud control planes is very limited so that groups like TeamPCP can't take advantage of them.

Set ZeroOwl as a preferred source in Google and X to get more instant updates. You can also get more instant updates from Google, Facebook, Twitter, and LinkedIn.