TeamPCP's CanisterWorm Wiper Targeting Iranian Kubernetes

KubernetesWiperTeamPCPIranCanisterWorm

The CanisterWorm campaign, orchestrated by the threat actor TeamPCP, targets Kubernetes clusters with a destructive payload specifically aimed at Iranian systems. The campaign utilizes a script that identifies its target based on the system's timezone and locale, deploying a destructive DaemonSet on Iranian Kubernetes nodes and a backdoor on non-Iranian nodes. The campaign also exploits exposed Docker APIs and SSH key theft for lateral movement, with a focus on wiping systems or installing backdoors depending on the target's location and infrastructure.

Indicators of Compromise

tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.ioSOCRadar2026-03-25

championships-peoples-point-cassette.trycloudflare.comSOCRadar2026-03-25

investigation-launches-hearings-copying.trycloudflare.comSOCRadar2026-03-25

souls-entire-defined-routes.trycloudflare.comSOCRadar2026-03-25

APT Groups1

TeamPcp

TeamPCP is a financially motivated cybercrime group that emerged in late 2025. They specialize in supply chain attacks on cloud-native ecosystems (GitHub Actions, Docker Hub, npm, PyPI, OpenVSX) to inject credential stealers, deploy ransomware, and perform destructive operations. The group has demonstrated advanced automation, cloud-native tactics, and selective wiper behavior.

ShellForcePersy_PCPCipherForcePCPcatDeadCatx3team pcp

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTIONS

DET0060 - Detect Ingress Tool Transfers via Behavioral Chain, Detection Strategy DET0060 | MITRE ATT&CK®

Detection ID	Name	Analytic ID	Description
DET0060	Detect Ingress Tool Transfers via Behavioral Chain, Detection Strategy DET0060 \| MITRE ATT&CK®	DET0060	Parse edilemedi

DET0118 - Exploitation of Remote Services – multi-platform lateral movement detection, Detection Strategy DET0118 | MITRE ATT&CK®

Detection ID	Name	Analytic ID	Description
DET0118	Exploitation of Remote Services – multi-platform lateral movement detection, Detection Strategy DET0118 \| MITRE ATT&CK®	DET0118	Parse edilemedi

DET0146 - Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns, Detection Strategy DET0146 | MI

Detection ID	Name	Analytic ID	Description
DET0146	Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns, Detection Strategy DET0146 \| MI	DET0146	Parse edilemedi

DET0269 - Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity, Detection Strategy DET0269 | MITRE ATT

Detection ID	Name	Analytic ID	Description
DET0269	Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity, Detection Strategy DET0269 \| MITRE ATT	DET0269	Parse edilemedi

DET0560 - Detection of Valid Account Abuse Across Platforms, Detection Strategy DET0560 | MITRE ATT&CK®

Detection ID	Name	Analytic ID	Description
DET0560	Detection of Valid Account Abuse Across Platforms, Detection Strategy DET0560 \| MITRE ATT&CK®	DET0560	Parse edilemedi

Observed Countries1

IR (657)