TeamPCP Unleashes Iran‑Targeted CanisterWorm Kubernetes Wiper

Threat actor TeamPCP has launched a highly destructive variant of the CanisterWorm malware, explicitly engineered to wipe Iranian systems while silently backdooring others.

This cloud-native threat targets Kubernetes clusters, Docker environments, and standalone hosts.

The attackers utilize an Internet Computer Protocol (ICP) canister for resilient command-and-control (C2) communication and rely on rotating Cloudflare tunnels for payload delivery.

Execution and Destructive Payload

Upon execution, the payload determines its environment by checking for Kubernetes service accounts.

It then evaluates the system’s timezone and locale settings to identify Iranian targets, specifically looking for indicators like Asia/Tehran or fa_IR. If the system is located in Iran, the malware initiates a devastating wiping routine.

In a targeted Kubernetes cluster, the malware deploys a privileged DaemonSet named host-provisioner-iran within the kube-system namespace.

This deployment launches an Alpine container named kamikaze that mounts the host’s root filesystem. It systematically deletes top-level directories and forces a system reboot.

Because the DaemonSet is configured to tolerate all node taints, it schedules the destructive container across every node, including the critical control plane.

Non-Kubernetes Iranian systems face a similarly brutal fate: forced deletion of the root directory to brick the host.

if __name__ == "__main__":
    if is_k8s():
        if is_iran():
            deploy_destructive_ds()
        else:
            deploy_std_ds()
    else:
        if is_iran():
            poison_pill()
        sys.exit(1)

For systems outside Iran, the malware serves solely as a persistent backdoor. On Kubernetes, it deploys a host-provisioner-std DaemonSet that installs the CanisterWorm payload across the cluster.

This backdoor is registered as a systemd service, initially disguised as internal-monitor but later adapting a PostgreSQL disguise under the name pgmonitor.

def is_k8s():
    return os.path.exists("/var/run/secrets/kubernetes.io/serviceaccount") or 
           "KUBERNETES_SERVICE_HOST" in os.environ

Once installed, the Python script persistently polls the ICP canister C2 every 50 minutes to download and execute secondary commands.

Lateral Movement and Indicators Of Compromise

The latest iteration of CanisterWorm has evolved beyond relying solely on Kubernetes for propagation. The malware now features autonomous lateral movement capabilities through SSH key theft and Docker API exploitation.

The script actively parses authentication logs, such as /var/log/auth.log, to extract active IP addresses and usernames from successful logins. It then uses any discovered private SSH keys to spread to these adjacent machines.

ategory	Indicator	Description
Network	tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io	ICP canister C2 dead-drop
Network	*.trycloudflare[.]com	Rotating payload delivery URLs
Kubernetes	host-provisioner-iran, host-provisioner-std	Malicious DaemonSets
Kubernetes	kamikaze, provisioner	Malicious container names

Simultaneously, the malware scans the aikido local subnet for exposed Docker APIs on port 2375. When it finds an unsecured endpoint, it creates a privileged container that mounts the host root directory to deliver the payload.

To defend against this aggressive supply chain attack, security teams must proactively audit their infrastructure. The table below outlines the critical Indicators of Compromise (IOCs) associated with this campaign.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post TeamPCP Unleashes Iran‑Targeted CanisterWorm Kubernetes Wiper appeared first on Cyber Security News.