Threat Intel - TeamPCP Unleashes Destructive Kubernetes Wiper
Basically, a hacker group is using a new tool to destroy computers in Iran.
TeamPCP has launched a new Kubernetes wiper targeting Iranian systems. This shift from credential theft to destruction raises serious geopolitical concerns. Organizations must act swiftly to protect their systems from this evolving threat.
The Threat
TeamPCP, a threat actor previously known for less destructive tactics, has now deployed a Kubernetes wiper targeting systems configured for Iran. This marks a significant escalation in their cyber operations. The group has been active since late 2025, initially focusing on credential theft and backdoor installations. However, their latest payload goes beyond mere data theft, aiming to wipe systems entirely.
The wiper, identified as part of the CanisterWorm campaign, uses a sophisticated decision-making process to determine its target. It checks the system's timezone and locale settings to identify whether it is operating within Iran. If confirmed, the malware executes a complete wipe of the system, showcasing a calculated approach to cyber warfare.
Who's Behind It
The TeamPCP group has gained notoriety for exploiting misconfigured Docker APIs and Kubernetes clusters. Their earlier tactics involved stealthy operations, but the introduction of this wiper indicates a shift towards more aggressive and destructive methods. This change highlights their evolving capabilities and intent.
The payload is delivered through rotating Cloudflare tunnel domains, complicating detection and blocking efforts. The initial version pointed to a single file, but later iterations split the logic into two files, enhancing the malware's stealth and effectiveness. The new approach allows it to decide whether to wipe a system or install a backdoor based on its geographical location.
Tactics & Techniques
The core of the kamikaze attack relies on a decision tree that evaluates two key variables: whether the host is in a Kubernetes cluster and if it is configured for Iran. If both conditions are met, the malware deploys a DaemonSet that mounts the host filesystem and deletes all data. For non-Iranian systems, it resorts to installing the CanisterWorm backdoor, allowing the attackers to maintain access without detection.
This method of operation underscores the precision of the attack. The wiper is not a random threat; it is designed to target specific systems while remaining dormant on others. This dual approach enhances the effectiveness of TeamPCP's campaign, making it a serious threat in the cybersecurity landscape.
Defensive Measures
Organizations should take immediate action to protect against this threat. Security teams are advised to audit all DaemonSets in the kube-system namespace for unexpected entries, particularly those related to the host-provisioner. Additionally, blocking outbound connections to icp0.io domains and closing Docker API access on port 2375 is crucial.
Regularly rotating SSH keys and reviewing authentication logs can help identify any signs of unusual activity. By implementing these measures, organizations can mitigate the risks posed by TeamPCP and similar threat actors, safeguarding their systems from potential destruction.
Cyber Security News