‘CanisterWorm’ Springs Wiper Attack Targeting Iran – Krebs on Security

‘CanisterWorm’ Springs Wiper Attack Targeting Iran – Krebs on Security

https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/

Publish Date: 2026-03-23 15:04:06

Source Domain: krebsonsecurity.com

Summary of Article

A new financially driven cybercriminals group, TeamPCP, has unleashed a wiper campaign directly targeting systems related to Iran over the weekend. TeamPCP is known for employing well-known attack methods industrially and large-scale automation to compromise cloud environments and extort victims. The group, initially identified in December 2025, has targeted cloud services on a global scale but has been predominantly active against cloud infrastructures like Azure and AWS. To execute its operation in Iran, the group used a worm called CanisterWorm, which seeks out systems situated in Iran’s time zone or with Farsi as the default language and subsequently wipes the data on these systems. Through supply chain attacks, notably against the vulnerability scanner Trivy, TeamPCP has been able to siphon sensitive data, including GitHub accounts and cloud credentials. Although some experts believe TeamPCP’s activities may simply be an attempt to gain notoriety rather than to cause significant damage, it’s clear that the group’s operations represent a sophisticated and alarming evolution in phishing tactics and extortion.

Key Points:

• Targeting Specific Regions: TeamPCP is specifically targeting systems located in Iran’s time zone or with Farsi as the default language using a wiper tool called CanisterWorm.
• Cloud Infrastructure Attacks: TeamPCP has historically focused on cloud infrastructures, leveraging exposed control planes and utilizing exposed APIs, Kubernetes clusters, and Redis servers.
• Supply Chain Vulnerabilities: The group has demonstrated advanced capabilities in exploiting supply chain vulnerabilities, compromising tools like Trivy and inserting malicious malware into official releases.
• Public Bragging and Threat Display: TeamPCP’s communication via Telegram and their spamming of GitHub accounts suggests a calculated effort to demonstrate their extensive access and control, raising concerns over potential undetected data thefts.
• Emerging Supply Chain Threats: The rise in supply chain attacks highlights a broader issue with potential for severe implications, underscoring the need for heightened security measures within platforms like GitHub.