CanisterWorm Malware - Attacks Docker and Kubernetes Environments
Basically, a new malware called CanisterWorm is stealing data from cloud systems like Docker and Kubernetes.
A new malware called CanisterWorm is targeting Docker and Kubernetes environments to steal sensitive data. TeamPCP exploits vulnerabilities, affecting cloud users significantly. Organizations must act quickly to secure their systems and prevent data breaches.
What Happened
A financially motivated cybercrime group named TeamPCP has been quietly compromising cloud environments since late 2025. Their malware, known as CanisterWorm, is a self-propagating worm that targets poorly secured Docker APIs, Kubernetes clusters, and Redis servers. The worm exploits known vulnerabilities, such as the React2Shell flaw, to gain access to systems. Once inside, it moves laterally through networks, stealing credentials and extorting organizations via Telegram.
The scale of this campaign is alarming, with research indicating that 61% of compromised servers are on Azure, while 36% are on AWS. This means that 97% of affected infrastructures are cloud-based, highlighting the extensive reach of TeamPCP's operations. They do not rely on new exploits; instead, they weaponize existing vulnerabilities and cloud misconfigurations, creating a self-spreading ecosystem of crime.
Who's Being Targeted
Organizations running cloud workloads on Azure and AWS are particularly vulnerable to CanisterWorm. The worm's ability to exploit misconfigured cloud services makes it a significant threat to enterprises that may not have robust security measures in place. Additionally, TeamPCP's recent activity includes a supply chain attack against Trivy, a widely used vulnerability scanner. By injecting malware into official GitHub Actions releases, they harvested sensitive information like SSH keys and Kubernetes tokens from unsuspecting users.
This attack not only compromises individual users but also poses a risk to entire organizations, as the stolen credentials can lead to further exploitation and data breaches. The group has even boasted about accessing sensitive records from a major pharmaceutical company, indicating the high stakes involved.
Tactics & Techniques
One of the most innovative aspects of CanisterWorm is its use of Internet Computer Protocol (ICP) canisters for command and control. These blockchain-based smart contracts allow TeamPCP to maintain their infrastructure in a tamperproof manner. As long as they pay the necessary fees, their canisters remain operational, making traditional takedown methods ineffective. This approach allows them to evade law enforcement and hosting providers who typically combat malware by seizing servers.
Moreover, TeamPCP has shown a remarkable ability to adapt. They rapidly modify their payloads, adding new features and even redirecting their canisters to unrelated content between attacks. This flexibility complicates detection and containment efforts for security teams, making it crucial for organizations to remain vigilant.
How to Protect Yourself
Organizations using Docker, Kubernetes, or Redis should immediately conduct audits of their configurations. Key actions include:
- Rotating SSH keys, cloud credentials, and Kubernetes tokens, especially if Trivy or KICS was used in CI/CD pipelines around March 19 to 23, 2026.
- Monitoring for lateral movement and locale-based behavior in containers to detect potential breaches early.
- Reviewing GitHub Actions workflows for unauthorized changes and enforcing strict access controls on cloud control planes.
By taking these proactive measures, organizations can significantly reduce their risk of falling victim to CanisterWorm and similar threats in the future.