A cyber threat group known as TeamPCP has introduced a new, more destructive phase in its operations by deploying a Kubernetes wiper specifically targeting systems associated with Iran. This marks a significant shift from their previous strategies, which focused on credential theft and backdoor installations.
Escalating Cyber Threats
TeamPCP, identified as a cloud-native attacker since 2025, has historically exploited vulnerabilities in Docker APIs, Kubernetes clusters, and CI/CD pipelines to maintain persistence in targeted systems. Their latest move, however, signifies a direct and aggressive approach towards systems configured for Iran, highlighting a geopolitical focus in their attacks.
The newly deployed payload checks the environment of the infected system. Systems identified as Iranian are subjected to a complete wipe, while non-Iranian systems receive the CanisterWorm backdoor, a tactic seen in earlier campaigns.
Technical Breakdown of the Wiper
Research by Aikido has confirmed this new payload as a continuation of the CanisterWorm campaign, utilizing the same Internet Computer Protocol (ICP) canister command-and-control infrastructure. The payload’s delivery mechanism involves rotating Cloudflare tunnel domains, complicating network-level blocking efforts.
Once deployed, the attack uses a four-path decision tree based on the system’s configuration, particularly whether it is a Kubernetes cluster and its locale settings, to determine the course of action. Iranian systems, identified through timezone and locale checks, are targeted for destruction.
Defensive Measures and Future Outlook
For Iranian Kubernetes systems, the payload deploys a DaemonSet named host-provisioner-iran, which mounts the host filesystem, deletes its contents, and forces a reboot, effectively crippling the cluster. Non-Kubernetes systems face direct filesystem wipes. A more advanced variant of the payload removes the Kubernetes dependency, adding self-propagation capabilities through SSH key theft and network scanning.
Security teams are urged to scrutinize all DaemonSets within the kube-system namespace for suspicious entries and block outbound connections to icp0.io domains. Closing Docker API access on port 2375 and rotating SSH keys on potentially compromised hosts are also recommended precautions.
This development underscores the increasing sophistication of cyber threats, necessitating heightened vigilance and robust security protocols. As TeamPCP evolves its tactics, organizations must stay informed and proactive in safeguarding their digital assets.
