TeamPCP’s CanisterWorm Escalates to Destructive Kubernetes Wiper Targeting Iranian Systems
In a significant escalation of cyber threats, the group known as TeamPCP has shifted from credential theft and backdoor installations to deploying a destructive Kubernetes wiper, specifically targeting systems configured for Iran. This development marks a notable intensification in the group’s tactics and objectives.
Background on TeamPCP
Since late 2025, TeamPCP has been identified as a cloud-native attacker, exploiting vulnerabilities in misconfigured Docker APIs, Kubernetes clusters, and CI/CD pipelines. Their initial operations focused on establishing persistence within compromised systems by installing backdoors and exfiltrating access credentials. The introduction of a wiper payload signifies a strategic shift towards outright system destruction.
Deployment and Functionality of the Wiper
The wiper is delivered through rotating Cloudflare tunnel domains, complicating network-level detection and mitigation efforts. Initially, the payload was a single file named `kamikaze.sh`. Subsequent iterations divided the logic into two components: a shell script stager that downloads and executes `kube.py` before self-deletion. This Python script contains the core decision-making logic, determining the malware’s actions based on the target system’s environment and locale settings.
Targeting Mechanism
The malware employs a decision tree based on two primary factors: whether the host operates within a Kubernetes cluster and if it is configured for Iran. Iranian systems are identified by checking system timezone and locale settings, specifically looking for `Asia/Tehran`, `Iran`, or `fa_IR`.
– Iranian Systems within Kubernetes Clusters: The malware deploys a DaemonSet named `host-provisioner-iran` containing a container called `kamikaze`. This setup mounts the host’s root filesystem, deletes all top-level directories, and initiates a system reboot. The DaemonSet’s tolerations ensure deployment across all nodes, including the control plane, effectively incapacitating the entire cluster.
– Iranian Systems without Kubernetes: The script executes `rm -rf / –no-preserve-root`, aiming to erase the entire filesystem. If root privileges are unavailable, it attempts to use passwordless sudo or proceeds to delete all files owned by the current user.
Evolution and Self-Propagation
A more advanced variant of the payload has been identified, which eliminates the dependency on Kubernetes and introduces self-propagation capabilities. This version analyzes SSH authentication logs to identify previously connected machines, steals private SSH keys, and scans local subnets for exposed Docker APIs on port 2375. These propagation methods deliver the same destructive payload to Iranian targets while installing a persistent backdoor on other systems.
Implications and Recommendations
The deliberate and calculated nature of this attack underscores the evolving threat landscape, where adversaries are increasingly targeting specific geopolitical entities with destructive malware. Organizations, particularly those operating in or associated with Iran, should take immediate action to mitigate this threat.
Mitigation Strategies:
1. Audit Kubernetes Deployments: Review all DaemonSets in the `kube-system` namespace for unauthorized entries, especially those named `host-provisioner-iran`.
2. Monitor System Configurations: Regularly check system timezone and locale settings to detect unauthorized changes that may indicate compromise.
3. Enhance Access Controls: Implement strict access controls and regularly rotate SSH keys to prevent unauthorized access and lateral movement within the network.
4. Network Segmentation: Isolate critical systems and limit exposure of Docker APIs and other management interfaces to trusted networks only.
5. Incident Response Planning: Develop and regularly update incident response plans to address potential wiper malware attacks, ensuring rapid containment and recovery.
By adopting these measures, organizations can strengthen their defenses against the evolving tactics of threat actors like TeamPCP and protect their critical infrastructure from destructive cyberattacks.
