A DataBreaches[.]net summary reports that a financially motivated data theft and extortion group is attempting to inject itself into the Iran war by unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language, according to KrebsOnSecurity[.]com. Experts say the wiper campaign materialised this past weekend and came from a relatively new cybercrime group known as TeamPCP.
In December 2025, the group began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability, and then attempted to move laterally through victim networks to siphon authentication credentials and extort victims over Telegram. The article raises questions about potential Israeli links among members and whether the activity also targets US government entities. DataBreaches[.]net notes its curiosity about the human motivations behind these actions and has sought a response from TeamPCP.