TeamPCP deploys Iran-targeted wiper in Kubernetes attacks

Recorded: March 24, 2026, 2:22 a.m.

Original

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

OpenAI rolls out ChatGPT Library to store your personal files

Mazda discloses security breach exposing employee and partner data

Tycoon2FA phishing platform returns after recent police disruption

TeamPCP deploys Iran-targeted wiper in Kubernetes attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityTeamPCP deploys Iran-targeted wiper in Kubernetes attacks

TeamPCP deploys Iran-targeted wiper in Kubernetes attacks

By Bill Toulas

March 23, 2026
04:09 PM
0

The TeamPCP hacking group is targeting Kubernetes clusters with a malicious script that wipes all machines when it detects systems configured for Iran.
The threat actor is responsible for the recent supply-chain attack on the Trivy vulnerability scanner, and also an NPM-based campaign dubbed ‘CanisterWorm,’ which started on March 20.
Selective destruction payload
Researchers at application security company Aikido say that the campaign targeting Kubernetes clusters uses the same command-and-control (C2), backdoor code, and drop path as seen in the CanisterWorm incidents.
However, the new campaign differs in that it includes a destructive payload targeting Iranian systems and installs the CanisterWorm backdoor on nodes in other locales.
“The script uses the exact same ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io) we documented in the CanisterWorm campaign. Same C2, same backdoor code, same /tmp/pglog drop path,” Aikido says.
“The Kubernetes-native lateral movement via DaemonSets is consistent with TeamPCP's known playbook, but this variant adds something we haven't seen from them before: a geopolitically targeted destructive payload aimed specifically at Iranian systems.”
According to Aikido researchers, the malware is built to destroy any machine that matches Iran's timezone and locale, regardless if Kuberenetes is present or not.
If both conditions are met, the script deploys a DaemonSet named ‘Host-provisioner-iran’ in ‘kube-system’, which uses privileged containers and mounts the host root filesystem into /mnt/host.
Each pod runs an Alpine container named ‘kamikaze’ that deletes all top-level directories on the host filesystem, and then forces a reboot on the host.
If Kubernetes is present but the system is identified as not Iranian, the malware deploys a DaemonSet named ‘host-provisioner-std’ using privileged containers with the host filesystem mounted.
Instead of wiping data, each pod writes a Python backdoor onto the host filesystem and installs it as a systemd service so it persists on every node.
On Iranian systems without Kubernetes, the malware deletes every file on the machine, including system data, accessible to the current user by running the rm -rf/ command with the --no-preserve-root flag. If root privileges are not available, it attempts passwordless sudo.

TeamPCP wiping Iranian systems with no Kubernetessource: Aikido
On systems where none of the conditions are met, no malicious action is taken, and the malware just exits.
Aikido reports that a recent version of the malware, which uses the same ICP canister backdoor, has omitted the Kubernetes-based lateral movement and instead uses SSH propagation, parsing authentication logs for valid credentials, and using stolen private keys.
The researchers highlighted some key indicators of this activity, including outbound SSH connections with ‘StrictHostKeyChecking+no’ from compromised hosts, outbound connections to the Docker API on port 2375 across the local subnet, and privileged Alpine containers via an unauthenticated Docker API with / mounted as a hostPath.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
FBI warns of Handala hackers using Telegram in malware attacksHow CISOs Can Survive the Era of Geopolitical CyberattacksFBI seizes Handala data leak site after Stryker cyberattackAI-generated Slopoly malware used in Interlock ransomware attackMedtech giant Stryker offline after Iran-linked wiper malware attack

Backdoor
Cloud
Iran
Kubernetes
Malware
TeamPCP
Wiper

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

Microsoft Azure Monitor alerts abused for callback phishing attacks

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Secure your AI agents without sacrificing speed.

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

Overdue a password health-check? Audit your Active Directory for free

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

TeamPCP, a known hacking group, has recently deployed a sophisticated and targeted wiper campaign specifically designed to eliminate systems identified as originating from Iran, utilizing Kubernetes clusters as a central component of their operation. This activity, detailed by application security company Aikido, represents a significant escalation in TeamPCP’s tactics and highlights the evolving nature of cyber threats.

The core of the campaign revolves around a command-and-control (C2) infrastructure, backdoor code, and a drop path, all mirroring elements previously observed in the ‘CanisterWorm’ supply-chain attack and the ‘CanisterWorm’ NPM-based campaign. However, the new iteration introduces a geographically-targeted destructive payload, distinguishing it from prior TeamPCP activities. The malware’s primary objective is to erase all data on machines matching Iran’s timezone and locale. If both the geolocation and Kubernetes presence are confirmed, the script initiates a ‘Host-provisioner-iran’ DaemonSet, leveraging privileged containers and mounting the host root filesystem into /mnt/host. Within these containers, the ‘kamikaze’ Alpine image executes a destructive command sequence, deleting all top-level directories on the affected host and forcing a reboot.

Crucially, when Kubernetes is present but the system lacks Iranian characteristics, the malware deploys a ‘host-provisioner-std’ DaemonSet. This variant focuses on installing a Python backdoor onto the host filesystem and establishing it as a persistent systemd service. This differs significantly from their earlier methodology, which primarily involved widespread destruction. A critical distinction is made by Aikido; the malware’s operational strategy adapts to the environment it encounters. If Kubernetes is not present, the malware employs a devastating tactic—complete data erasure—utilizing the `rm -rf/` command with the `--no-preserve-root` flag, or attempts passwordless sudo if root privileges are unavailable.

Further complicating the threat, a newer version of this malware has omitted Kubernetes-based lateral movement, shifting towards a more adaptable strategy. This version leverage SSH propagation, exploiting authentication logs and stolen private keys for network expansion. The researchers identified specific indicators of compromise (IOCs) including outbound SSH connections with ‘StrictHostKeyChecking+no’, outbound connections to the Docker API on port 2375, and privileged Alpine containers via an unauthenticated Docker API with / mounted as a hostPath.

Aikido stresses that this campaign represents a notable departure in TeamPCP's playbook, incorporating geopolitical targeting which adds a distinctive element to the group's attack methods. The response to this evolving threat necessitates a heightened level of vigilance, particularly within organizations utilizing Kubernetes environments. The group's methods, as detailed by Aikido, include identifying systems on Iranian timezones regardless of Kubernetes use.