A financially driven cybercrime syndicate, identified as TeamPCP, has been systematically infiltrating cloud infrastructures since late 2025. Their activities have now caught the attention of cybersecurity experts worldwide.
The group employs a self-replicating malware known as CanisterWorm, targeting inadequately secured Docker APIs, Kubernetes clusters, Redis servers, and systems vulnerable due to the React2Shell flaw. This malware infiltrates networks, pilfers credentials, and extorts organizations via Telegram.
Impact on Cloud Platforms
CanisterWorm’s operations have significantly impacted enterprises across major cloud service providers, including Azure and AWS. Recent studies by security firm Flare highlight that Azure accounts for roughly 61% of compromised systems, while AWS comprises another 36%. This means that a staggering 97% of affected systems are on these platforms.
Rather than leveraging new exploits, TeamPCP exploits known vulnerabilities and cloud misconfigurations, transforming exposed systems into a self-propagating criminal network.
Supply Chain Attack and Geographic Targeting
On March 19, 2026, TeamPCP expanded its operations to include a supply chain attack on Trivy, a popular vulnerability scanner from Aqua Security. They inserted credential-stealing malware into GitHub Actions releases, capturing sensitive data like SSH keys and cloud credentials.
By the weekend of March 22-23, a destructive payload was unleashed, targeting systems in Iran by wiping data on Kubernetes clusters or local machines if certain locale settings were detected. This marks a shift towards integrating geo-specific logic for political motivations in addition to financial gain.
Technical Sophistication and Defense Strategies
TeamPCP’s infrastructure management is notably advanced, utilizing Internet Computer Protocol (ICP) canisters. These blockchain-based smart contracts provide a robust, tamperproof command structure that resists traditional takedown efforts. This architecture allows the group to modify their payloads rapidly and stealthily.
Organizations using Docker, Kubernetes, or Redis should urgently audit their systems for vulnerabilities. It’s crucial to rotate credentials and enhance security measures, especially if tools like Trivy were used during the attack window.
Strict monitoring of network behavior and secure configuration of cloud environments are essential to mitigate future risks. It is advisable for GitHub repository owners to scrutinize their workflows for unauthorized changes.
Stay informed with the latest cybersecurity updates by following us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google to keep up with essential security news.
