A new wiper campaign dubbed CanisterWorm targets Iran by using a self-propagating worm that spreads through exposed cloud services and wipes data on systems set to Iran’s timezone or with Farsi as the default language. The operation, attributed to a relatively new cybercrime group known as TeamPCP, began in December 2025 with attacks on Docker APIs, Kubernetes clusters, Redis servers and the React2Shell vulnerability, followed by lateral movement to steal credentials and extort victims.
According to Flare, the group weaponises exposed control planes rather than endpoints, with Azure accounting for 61% and AWS 36% of compromised servers, meaning the attackers focus on cloud infrastructure over end-user devices. Aikido[.]dev’s Charlie Eriksen noted that the worm’s payload can destroy data on every node in a Kubernetes cluster if the timezone matches Iran, or simply wipe the local machine otherwise.
The attackers’ CanisterWorm infrastructure is linked to an ICP canister, which the group uses to orchestrate campaigns and keep downloads available even under takedown attempts.