Anatomy of the CanisterWorm: A Step-by-Step Breakdown of the Iran-Targeted Wiper Attack

Introduction

In the ever-evolving landscape of cyber threats, a new and alarming campaign has emerged: the CanisterWorm wiper attack, orchestrated by the cybercrime group TeamPCP. This self-propagating worm specifically targets systems in Iran, wiping data on machines that match Iran's time zone or use Farsi as the default language. Understanding how this attack unfolds is crucial for defenders to build effective countermeasures. Below, we break down the attack into a step-by-step guide—not to enable malicious activity, but to illuminate the tactics, techniques, and procedures (TTPs) used by TeamPCP so organizations can protect their cloud environments.

What You Need (From the Attacker’s Perspective)

• Exposed Cloud Services: Unsecured Docker APIs, Kubernetes clusters, Redis servers, and systems vulnerable to the React2Shell exploit.
• Automation Framework: Tools to industrialize known vulnerabilities and misconfigurations—TeamPCP doesn't rely on novel exploits but on large-scale automation of existing attack techniques.
• Internet Computer Protocol (ICP) Canister: A tamperproof, blockchain-based smart contract system (dubbed “CanisterWorm”) used to orchestrate campaigns and deliver payloads.
• Credential Harvesting Infrastructure: Malicious payloads designed to steal SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets.
• Wiper Payload: A destructive component that triggers based on time zone (Iran) and locale (Farsi).
• Compromised Official Releases: Leveraging supply chain attacks (e.g., on the Trivy vulnerability scanner) to distribute credential-stealing malware.

Step-by-Step Attack Sequence

Step 1: Scan and Compromise Exposed Cloud Endpoints

TeamPCP begins by scanning the internet for poorly secured cloud infrastructure. Their primary targets include:

• Exposed Docker APIs (often left open without authentication)
• Kubernetes clusters with misconfigured control planes
• Redis servers that are accessible from the internet
• Systems with the React2Shell vulnerability (CVE-2023-XXXX, a known RCE in React applications)

Rather than exploiting endpoints on end-user devices, the group focuses on cloud control planes. According to security firm Flare, 97% of compromised servers belonged to Azure (61%) and AWS (36%). The attackers weaponize these exposed control planes using automated scanning scripts, allowing them to scale rapidly.

Step 2: Deploy the CanisterWorm via ICP Canister

Once inside a cloud environment, the attackers deploy the CanisterWorm—a self-propagating module that uses the Internet Computer Protocol (ICP) canister. This blockchain-based smart contract system serves as a tamperproof command-and-control (C2) infrastructure. The worm is designed to:

• Self-replicate across the compromised network
• Automatically search for additional exposed cloud services (Docker, Kubernetes, Redis)
• Use the ICP canister to receive updates and new payloads

The canister also acts as a persistent backdoor, resistant to takedown attempts due to its decentralized nature.

Step 3: Move Laterally and Harvest Credentials

After initial compromise, TeamPCP performs lateral movement within victim networks. They use standard post-exploitation techniques:

• Steal authentication credentials from local systems and cloud metadata services
• Extract SSH private keys, cloud provider API tokens, and Kubernetes service account tokens
• Harvest cryptocurrency wallet files and browser-stored passwords

The group often communicates with victims over Telegram to extort payment in exchange for not publishing stolen data. This dual approach (theft + ransom) is a hallmark of financially motivated cybercrime.

Notably, TeamPCP executed a supply chain attack on March 19, 2025, injecting credential-stealing malware into the official GitHub releases of Trivy, a vulnerability scanner by Aqua Security. This allowed them to compromise users who downloaded the infected tool, expanding their reach into organizations that trusted the official software.

Step 4: Identify Iranian Systems via Time Zone and Locale

Before deploying the wiper, the CanisterWorm performs a conditional check. Using the victim machine’s system time zone and default language settings, it determines if the target is located in Iran:

• Time zone: Matches Iran Standard Time (UTC+3:30).
• Locale: Farsi (Persian) is set as the default language.

If both conditions are met, the worm proceeds to the wiper stage. This targeted approach ensures that only Iranian systems are destroyed, potentially limiting attribution or avoiding collateral damage that might draw international attention.

Step 5: Execute the Wiper Payload

Once the conditions are verified, the wiper component activates. As described by security researcher Charlie Eriksen of Aikido, the behavior depends on the environment:

• If the victim has access to a Kubernetes cluster: The worm will destroy data on every node in that cluster. This can bring down entire containerized applications and persistent storage volumes.
• If no Kubernetes access is detected: The wiper wipes the local machine’s filesystem, making the system inoperable.

The wiper payload is designed to be irreversible, likely overwriting files with random data before deleting them. The attack infrastructure used for this wiper campaign was the same as that employed in the Trivy supply chain attack, indicating a reuse of tooling across operations.

Tips for Defenders

• Secure your cloud control planes: Ensure that Docker APIs, Kubernetes clusters, and Redis servers are not exposed to the internet without authentication. Use firewalls, network policies, and VPNs to limit access.
• Monitor for unusual lateral movement: Deploy endpoint detection and response (EDR) tools and monitor cloud logs for anomalous credential usage, especially after a third-party software compromise like the Trivy incident.
• Verify software supply chain: Always check checksums and signatures of downloaded tools. Consider using a software composition analysis (SCA) solution to detect tampered binaries.
• Implement geo-fencing and locale-based triggers: While attackers use time zone/locale checks, defenders can reverse that logic—alert on any system that attempts to query or change locale settings unexpectedly.
• Use immutable infrastructure: In Kubernetes, use read-only filesystems and pod security policies to prevent wiper malware from writing to disks. Regularly back up critical data to offline or isolated storage.
• Stay informed about TeamPCP tactics: The group is relatively new (active since December 2025) but highly automated. Follow threat intelligence feeds from firms like Flare, Wiz, and Aikido for IoCs (indicators of compromise).
• Prepare an incident response plan: In case of a wiper attack, having an air-gapped backup and a rapid containment procedure can minimize data loss.

Understanding the enemy’s playbook is the first step toward building resilient defenses. The CanisterWorm attack shows how automation, exposed cloud services, and supply chain compromises can be combined into a devastating campaign—one that defenders must outthink and outpace.