CanisterWorm Adds Iran-Targeting Kubernetes Wiper

The TeamPCP supply chain attack we covered Friday has evolved into something far more destructive. Security researchers at Aikido discovered that CanisterWorm now includes a Kubernetes wiper payload that specifically targets Iranian infrastructure, wiping entire clusters while deploying backdoors to systems everywhere else.

TL;DR

• What's new: TeamPCP added a destructive wiper to CanisterWorm targeting Iranian Kubernetes clusters
• How it spreads: Poisoned Docker Hub images (0.69.4-0.69.6) and lateral movement via SSH/Docker API
• Iran targeting: Detects Iranian systems via timezone/locale, then wipes all nodes including control plane
• Collateral damage: 44 internal Aqua Security repositories defaced, proprietary source code exposed

Docker Hub Distribution

TeamPCP pushed three poisoned Trivy images to Docker Hub without corresponding GitHub releases:

• aquasec/trivy:0.69.4 - Initial malicious version
• aquasec/trivy:0.69.5 - Published March 22, 2026
• aquasec/trivy:0.69.6 - Also March 22, 2026

The attackers pointed the :latest tag at 0.69.6, meaning any CI/CD pipeline pulling aquasec/trivy:latest silently ran an infostealer. Socket security researcher Philipp Burckhardt confirmed: "Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign."

The images have since been removed from Docker Hub.

How the Iran-Targeting Works

The wiper payload uses three methods to identify Iranian systems:

1. Timezone file: Checks if /etc/timezone contains "Asia/Tehran" or "Iran"
2. Locale environment: Looks for LANG containing "fa_IR" (Farsi/Iran)
3. Fallback detection: Parses timedatectl output for Iranian timezone settings

What happens next depends on what it finds.

On Iranian Kubernetes Clusters

The malware deploys a DaemonSet named host-provisioner-iran with a container called kamikaze that:

• Mounts the host root filesystem to /mnt/host
• Executes: find /mnt/host -maxdepth 1 -not -name 'mnt' -exec rm -rf {} +
• Force reboots via reboot -f
• Uses tolerations: [operator: Exists] to target every node, including control plane

The result is complete cluster destruction.

On Non-Kubernetes Iranian Hosts

Systems without Kubernetes simply receive: rm -rf / --no-preserve-root

On Everyone Else

Non-Iranian systems get the standard CanisterWorm backdoor installed as a systemd service, connecting back to the blockchain-based C2 infrastructure.

Lateral Movement Capabilities

A third variant adds aggressive lateral movement:

• SSH exploitation: Parses /var/log/auth.log for successful logins, then uses stolen SSH keys to spread
• Docker API abuse: Scans for exposed Docker daemons on port 2375 to create privileged containers
• Subnet scanning: Tests the local /24 network using default usernames (root, ubuntu, admin, ec2-user)

This mirrors lateral movement patterns seen in the GlassWorm supply chain attack earlier this month.

44 Aqua Repositories Defaced

The attack also compromised Aqua Security's internal infrastructure. On March 22 between 20:31 and 20:32 UTC, TeamPCP defaced 44 repositories in the "aquasec-com" organization, renaming them with a "tpcp-docs-" prefix.

Exposed proprietary source code includes:

• Tracee runtime security engine
• Kubernetes operators
• CI/CD pipeline configurations

The access came through a compromised service account: "Argon-DevOps-Mgt" (GitHub ID 139343333, created July 12, 2023).

New Indicators of Compromise

In addition to the IOCs from our earlier coverage, researchers identified:

Network infrastructure:

• souls-entire-defined-routes.trycloudflare.com
• investigation-launches-hearings-copying.trycloudflare.com
• championships-peoples-point-cassette.trycloudflare.com

Kubernetes artifacts:

• DaemonSets: host-provisioner-iran, host-provisioner-std
• Systemd services: internal-monitor, pgmonitor

Host paths:

• /var/lib/svc_internal/runner.py
• /var/lib/pgmon/pgmon.py
• /tmp/pglog, /tmp/.pg_state

Why Target Iran?

Brian Krebs reports that TeamPCP's motivation remains unclear. Aikido researcher Charlie Eriksen suggests "there's a chance this whole Iran thing is just their way of getting attention."

The group previously operated as a financially motivated extortion outfit targeting cloud infrastructure (Azure: 61%, AWS: 36%). This geopolitically targeted destruction marks a significant escalation, though whether it represents ideology, a contract, or showboating remains unknown.

The timing is notable given that Iranian threat actors have been active in the opposite direction, with Unit 42 recently documenting an Android surveillance campaign targeting Israeli users.

Recommended Actions

If you run Trivy in your environment:

1. Verify image digests - Don't trust tags; pin to specific SHA256 digests from before March 19
2. Search for Iran-targeting DaemonSets - Look for host-provisioner-iran or host-provisioner-std
3. Check systemd services - Hunt for internal-monitor or pgmonitor on worker nodes
4. Audit Docker API exposure - Block port 2375 if not required
5. Block Cloudflare tunnel domains - Add the three trycloudflare.com domains to blocklists
6. Rotate all credentials that may have passed through Trivy-enabled pipelines

The good news, according to Eriksen: "There is no reliable way to tell whether TeamPCP's wiper actually succeeded." The bad news is that CanisterWorm continues spreading through compromised npm tokens, and the blockchain-based C2 infrastructure remains resistant to takedown.