‘CanisterWorm’ Springs Wiper Attack Targeting Iran

A financially motivated data theft and extortion group, known as TeamPCP, has launched a new campaign targeting systems in Iran, deploying a worm called CanisterWorm that wipes data from infected systems. The attack, which experts say materialized this past weekend, is part of an effort by the group to inject itself into the ongoing conflict involving Iran.

TeamPCP, a relatively new cybercrime group, began its operations in December 2025, focusing on compromising corporate cloud environments. The group uses a self-propagating worm that targets exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Once inside a network, the attackers move laterally, siphoning authentication credentials and extorting victims over Telegram.

The CanisterWorm specifically seeks out and destroys data on systems that match Iran's time zone or have Farsi set as the default language. This targeted approach suggests that the group is attempting to frame the attack as part of the broader conflict, potentially causing confusion and complicating efforts to attribute the breach.

In a profile published in January by security firm Flare, the group's tactics were described as relying on large-scale automation and integration of well-known attack techniques rather than novel exploits or original malware. TeamPCP's strength lies in exploiting exposed control planes, predominantly targeting cloud infrastructure over end-user devices. Azure and AWS accounted for 97% of the compromised servers, with Azure making up 61% and AWS 36%.

Flare's Assaf Morag noted that TeamPCP "industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem." This approach allows the group to operate efficiently and at scale, capitalizing on the vulnerabilities left behind by poorly secured cloud services.

In addition to the CanisterWorm campaign, TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security on March 19. The attackers injected credential-stealing malware into official releases on GitHub actions. Aqua Security has since removed the harmful files, but the security firm Wiz notes that the attackers were able to p

The CanisterWorm incident highlights the ongoing threat of financially motivated groups exploiting geopolitical tensions for their own gain. As the conflict involving Iran continues to escalate, the risk of such groups attempting to capitalize on the situation increases. Organizations operating in the region must be vigilant and ensure their cloud services are properly secured to prevent falling victim to similar attacks.

The use of CanisterWorm, which specifically targets systems in Iran, raises concerns about the potential for misinformation and disinformation campaigns. Attackers may attempt to frame the breach as part of a larger conflict, making it more challenging for victims to determine the true source of the attack.

As TeamPCP's activities continue, security experts are urging organizations to prioritize the security of their cloud infrastructure. Regularly updating and patching systems, implementing strong access controls, and monitoring for unusual activity can help mitigate the risk of falling victim to such targeted campaigns.

In conclusion, the CanisterWorm attack by TeamPCP serves as a stark reminder of the evolving landscape of cyber threats. Financially motivated groups are increasingly leveraging geopolitical tensions and exploiting vulnerabilities in cloud services to carry out data theft and extortion. As these groups become more sophisticated and aggressive, it is crucial for organizations to remain vigilant and proactive in safeguarding their digital assets.