CanisterWorm turns destructive as TeamPCP deploys Iran-focused Kubernetes wiper
6 min. read 
Published on
TeamPCP has taken a more aggressive step in its cloud attacks. Researchers say the group now uses a destructive payload that wipes systems when it detects signs of an Iranian environment, while non-Iranian targets get the CanisterWorm backdoor instead.
That change matters because it shows a clear split in the attacker’s goals. In one case, the malware keeps access and supports persistence. In the other, it aims to destroy the target outright. Aikido Security linked the new payload to the wider CanisterWorm campaign through the same ICP canister command infrastructure, the same drop path, and the same Kubernetes-oriented movement pattern.
Aikido says TeamPCP has operated as a cloud-native threat actor since late 2025, with past activity focused on misconfigured Docker APIs, Kubernetes clusters, and CI/CD environments. The latest findings, published in March 2026, suggest the group has moved beyond stealth and now includes selective wiping in its toolkit.
The malware reportedly checks timezone and locale data before it decides what to do next. Systems showing indicators such as Asia/Tehran, Iran, or fa_IR get pushed toward destructive logic, while other systems receive the CanisterWorm backdoor path.
What researchers found
Aikido says the payload arrived through rotating Cloudflare tunnel domains. Early versions used a single shell script named kamikaze.sh, while later versions split the job into a shell stager and a Python script called kube.py. That second stage handled the logic that determined whether the target should be wiped or backdoored.
The same report says the malware still relies on infrastructure tied to Internet Computer Protocol canisters. That overlap helped researchers connect the latest destructive branch back to earlier CanisterWorm activity.
How the malware behaves
| Target type | Reported behavior | Impact |
|---|---|---|
| Iranian system inside Kubernetes | Deploys a DaemonSet named host-provisioner-iran and attempts to wipe nodes | One malicious deployment can spread cluster-wide |
| Iranian system outside Kubernetes | Runs destructive filesystem wipe logic | A single Linux host can be rendered unusable |
| Non-Iranian target | Installs the CanisterWorm backdoor | The actor keeps access for persistence or later actions |
| Later variant | Adds self-spread through SSH material and exposed Docker APIs | The attack can move faster across weak environments |
Why Kubernetes matters here
Kubernetes DaemonSets are powerful because they place a copy of a pod across all or selected nodes in a cluster. Kubernetes documentation says a DaemonSet ensures that all or some nodes run a copy of a pod, which makes it useful for legitimate cluster-wide services but also very dangerous when abused by an attacker.
Aikido says the wiper uses DaemonSets with tolerations so the malicious workload can also reach control-plane nodes. In practice, that means one bad deployment could spread quickly across a cluster and damage far more than a single container or worker node.
Why Docker exposure still creates risk
A later variant reportedly scanned for exposed Docker APIs on port 2375 and used those openings to help spread. Docker’s official documentation warns that remote access over TCP can expose the daemon directly and notes that port 2375 is commonly used for insecure, non-TLS access, while secure TLS connections typically use port 2376.
Docker also recommends protecting daemon access with SSH or TLS. That matters here because an exposed daemon can give an attacker broad control over containers and the underlying host.
Why defenders should pay attention
This campaign combines cloud-native targeting, selective logic, and destructive behavior. It does not simply drop one payload everywhere. It fingerprints the target first, then decides whether to maintain access or destroy the system. That approach makes it harder to treat as a routine backdoor case.
NSA and CISA have already warned that Kubernetes environments need stronger hardening because attackers target them for data theft, abuse, and service disruption. Their guidance recommends scanning for vulnerabilities and misconfigurations, enforcing least privilege, using network separation and firewalls, applying strong authentication, and auditing logs. Those steps fit this case directly.
What security teams should check now
- Audit all DaemonSets, especially in kube-system, for unusual names such as host-provisioner-iran or host-provisioner-std. Aikido specifically identified those names in the campaign.
- Review systems for suspicious services such as internal-monitor or pgmonitor, and inspect paths like /var/lib/pgmon/pgmon.py and /tmp/pglog. Researchers tied those artifacts to the attack chain.
- Check for outbound connections to icp0.io infrastructure linked to the reported command-and-control setup.
- Close or protect Docker API exposure on port 2375. Docker says insecure TCP access should not remain open without proper protection.
- Rotate SSH keys on potentially exposed systems and inspect SSH authentication logs for unusual movement between hosts. Aikido says the later variant used SSH material to spread.
- Tighten Kubernetes privileges and review workload permissions. NSA and CISA recommend least privilege and regular auditing to reduce cluster risk.
Key indicators to hunt for
- Unexpected DaemonSets in kube-system
- Unusual pods mounting host root filesystems
- Strange activity involving /tmp/pglog
- New services named internal-monitor or pgmonitor
- Unexpected Docker API traffic on port 2375
- SSH key access that does not match normal admin behavior
- Outbound calls to suspicious icp0.io or rotating tunnel infrastructure
What this means
TeamPCP appears to have moved from persistence-only operations into selective destruction. The new CanisterWorm branch gives the actor a flexible tool that can either stay hidden or wipe systems, depending on what it finds on the host.
For defenders, the lesson is direct. Lock down Docker remote access, watch Kubernetes DaemonSets closely, reduce privileges, and treat unusual node-wide deployments as a potential incident right away. The same cluster features that help operators manage infrastructure can also help attackers scale damage very quickly.
FAQ
Aikido uses CanisterWorm to describe TeamPCP malware activity that relies on Internet Computer Protocol canisters for command and control. The latest branch adds selective destructive behavior to that campaign.
Researchers say the malware checks timezone and locale settings for signs of an Iranian environment, including Asia/Tehran, Iran, and fa_IR. If those indicators match, the destructive path starts.
Kubernetes says a DaemonSet places a copy of a pod on all or some nodes. If an attacker abuses that feature, one malicious deployment can spread across a cluster quickly.
Docker documentation says port 2375 is commonly used for insecure, non-TLS daemon access. If it stays exposed, an attacker may gain powerful remote control over containers and hosts.
Start by auditing DaemonSets, locking down Docker remote access, reviewing logs, rotating SSH keys on exposed systems, and tightening Kubernetes privileges. NSA and CISA also recommend scanning for misconfigurations and enforcing least privilege.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages