A threat actor known as TeamPCP has escalated its operations by deploying a destructive Kubernetes wiper targeting Iranian environments. Previously focused on persistence and credential theft, the group has now shifted toward full system destruction in selected targets. 
Security researchers observed that the updated CanisterWorm payload selectively wipes systems configured for Iran while continuing traditional backdoor activity elsewhere.
Evolution of TeamPCP Operations
TeamPCP has been active since late 2025, initially exploiting:
- Misconfigured Docker APIs
- Kubernetes clusters
- CI/CD pipelines
Earlier campaigns focused on:
- Installing backdoors
- Maintaining persistence
- Stealing credentials
The new payload marks a clear shift toward destructive intent.
Targeted Geopolitical Logic
The malware performs environment checks before execution. It identifies Iranian systems by examining:
- Timezone settings (Asia/Tehran)
- Locale configuration (fa_IR)
- Regional identifiers
If the system matches Iranian settings, the malware triggers destructive behavior.
Otherwise, it installs the standard CanisterWorm backdoor.
Command-and-Control Infrastructure
Researchers from Aikido Security linked the new payload to existing CanisterWorm infrastructure.
The campaign reuses:
- ICP-based command-and-control servers
- /tmp/pglog drop path
- Kubernetes DaemonSet lateral movement
- Shared backdoor code
These indicators confirm this is an evolution of the same operation.
Multi-Stage Payload Delivery
The attack is delivered through rotating Cloudflare tunnel domains.
Execution chain:
- Shell script downloader (kamikaze.sh)
- Python payload (kube.py)
- Environment detection logic
- Conditional destructive or persistent behavior
The stager deletes itself to evade detection.
Kubernetes Cluster Destruction
When executed inside Kubernetes on Iranian systems, the malware:
- Deploys a DaemonSet named host-provisioner-iran
- Mounts host root filesystem
- Deletes system files
- Forces reboot
Because the DaemonSet runs on all nodes, a single deployment can wipe an entire cluster.
Non-Kubernetes Wiper Behavior
If Kubernetes is not present, the malware directly executes:
- rm -rf / –no-preserve-root
It attempts:
- Root privileges
- Passwordless sudo
- User-level file destruction
This ensures maximum damage even with limited permissions.
Self-Spreading Variant
A newer version adds propagation capabilities:
- Parses SSH authentication logs
- Steals private SSH keys
- Scans network for Docker API on port 2375
- Spreads laterally
Both propagation paths deliver the same logic: destruction or backdoor installation.
Indicators of Compromise
Security teams should check for:
- Suspicious DaemonSets in kube-system namespace
- host-provisioner-iran
- host-provisioner-std
- /tmp/pglog processes
- /var/lib/pgmon/pgmon.py file
- systemd services named internal-monitor
- systemd services named pgmonitor
Infrastructure Blocking Recommendations
Organizations should:
- Block outbound connections to ICP domains
- Close Docker API port 2375
- Rotate SSH keys
- Audit SSH logs
- Monitor Kubernetes DaemonSet deployments
Why This Attack Is Dangerous
This campaign introduces:
- Geopolitical targeting
- Kubernetes-native destruction
- Automated lateral movement
- Dual-purpose malware logic
- Cloud-native attack sophistication
The targeted destruction model represents a major escalation.
Key Takeaways
- TeamPCP deployed destructive Kubernetes wiper
- Iranian systems specifically targeted
- Entire clusters can be wiped via DaemonSet
- Self-spreading variant discovered
- Immediate Kubernetes security review required
Conclusion
The evolution of CanisterWorm into a geopolitically targeted Kubernetes wiper highlights the growing risk to cloud-native infrastructure. Organizations operating containerized environments must secure Docker APIs, audit cluster configurations, and monitor for unusual DaemonSet activity to prevent destructive attacks.
