TeamPCP Unleashes Iran‑Targeted CanisterWorm Kubernetes Wiper

The threat group TeamPCP has released a very dangerous version of the CanisterWorm malware that is specifically designed to destroy Iranian systems while secretly getting into others. This threat that lives in the cloud goes after Kubernetes clusters, Docker environments, and single hosts. The attackers use an Internet Computer Protocol (ICP) canister for strong command-and-control (C2) communication and rotating Cloudflare tunnels to send their payloads.

Execution and Destructive Payload When it runs, the payload checks for Kubernetes service accounts to figure out what kind of environment it is in. It then checks the system's timezone and locale settings to find Iranian targets. It looks for signs like Asia/Tehran or fa_IR. If the system is in Iran, the malware starts a wiping routine that destroys everything.

The malware installs a privileged DaemonSet called host-provisioner-iran in the kube-system namespace on a specific Kubernetes cluster. This deployment starts an Alpine container called kamikaze that mounts the root filesystem of the host. It deletes top-level directories in a planned way and makes the system restart.

The DaemonSet is set up to handle all node taints, so it schedules the destructive container to run on every node, even the important control plane. Iranian systems that don't use Kubernetes also have to deal with the same harsh fate: having their root directory deleted to brick the host. if __name__ == "__main__": if is_k8s(): if is_iran(): deploy_destructive_ds() else: deploy_std_ds() else: if is_iran(): poison_pill() sys.exit(1) For systems that are not in Iran, the malware is just a persistent backdoor. It installs a host-provisioner-std DaemonSet on Kubernetes that spreads the CanisterWorm payload across the cluster.

This backdoor is set up as a systemd service. At first, it was called internal-monitor, but later it changed its name to pgmonitor and started using PostgreSQL as a disguise. Once the Python script is installed, it polls the ICP canister C2 every 50 minutes to download and run secondary commands.

Moving sideways and signs of a breach The newest version of CanisterWorm doesn't just use Kubernetes to spread anymore. The malware can now move on its own by stealing SSH keys and using the Docker API. The script actively reads authentication logs, like /var/log/auth.log, to get active IP addresses and usernames from successful logins. Then, it uses any private SSH keys it finds to spread to these nearby computers.

This is a description of the category indicator for the network tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[. ]io ICP canister C2 dead-drop. Network *trycloudflare[.

]com Rotating payload delivery URLs Kubernetes host-provisioner-iran, host-provisioner-std Malicious DaemonSets Kubernetes kamikaze, provisioner Container names that are bad At the same time, the malware is looking for open Docker APIs on port 2375 in the aikido local subnet. It makes a privileged container that mounts the host root directory to send the payload when it finds an endpoint that isn't secure. Security teams need to proactively check their infrastructure to protect against this aggressive supply chain attack. The table below lists the most important Indicators of Compromise (IOCs) that are linked to this campaign.