Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/New CanisterWorm Malware Targets Docker, Kubernetes, Redis for Secret Theft
Threats

New CanisterWorm Malware Targets Docker, Kubernetes, Redis for Secret Theft

Key Takeaways A financially motivated cybercrime group, TeamPCP, has been actively compromising cloud environments since late 2025. The group employs a self-propagating worm, CanisterWorm, to target...

Jennifer sherman
Jennifer sherman
March 30, 2026 4 Min Read
33 0

Key Takeaways

  • A financially motivated cybercrime group, TeamPCP, has been actively compromising cloud environments since late 2025.
  • The group employs a self-propagating worm, CanisterWorm, to target misconfigured Docker APIs, Kubernetes clusters, Redis servers, and systems vulnerable to the React2Shell flaw.
  • CanisterWorm facilitates credential theft, lateral movement, and extortion, affecting organizations utilizing Azure and AWS cloud services.
  • Notably, the group launched a supply chain attack against Aqua Security’s Trivy vulnerability scanner in March 2026, injecting credential-stealing malware into GitHub Actions releases.
  • The malware also includes a destructive wiper payload specifically designed to target systems configured for Iran’s timezone or Farsi language settings.

A persistent cybercrime organization, identified as TeamPCP, has been systematically breaching cloud infrastructures since late 2025, deploying a sophisticated, self-replicating malware known as CanisterWorm. This group’s extensive and automated operations are now raising significant concerns across the cybersecurity landscape.

Table Of Content

  • Key Takeaways
  • Automated Attacks and Cloud Dominance
  • Supply Chain Attack and Geo-Targeted Wiper
  • Blockchain-Backed Command Infrastructure
  • What You Should Do

CanisterWorm is designed to exploit common misconfigurations and known vulnerabilities within cloud environments. It actively seeks out inadequately secured Docker APIs, Kubernetes clusters, Redis servers, and systems susceptible to the React2Shell vulnerability.

Once a foothold is established, the worm demonstrates robust lateral movement capabilities within victim networks. Its primary objectives include the exfiltration of sensitive credentials and the execution of extortion schemes, often leveraging Telegram for communication with victims. The campaign’s reach is broad, impacting enterprises that operate cloud workloads on both Microsoft Azure and Amazon Web Services (AWS).

Automated Attacks and Cloud Dominance

The severity of the CanisterWorm threat is amplified by the sheer scale and automation TeamPCP applies to its attacks. Analysis conducted by the security firm Flare indicates a significant skew in compromised infrastructure, with Azure accounts constituting approximately 61% of affected servers, and AWS accounting for another 36%. This combined figure represents 97% of all observed compromised cloud infrastructure.

TeamPCP does not rely on zero-day exploits. Instead, it effectively weaponizes existing vulnerabilities and prevalent cloud misconfigurations. By exploiting these weaknesses, the group transforms exposed control planes into a self-sustaining criminal ecosystem, facilitating widespread compromise.

Further investigation by KrebsOnSecurity analysts revealed that the very same infrastructure used for these data theft campaigns was subsequently utilized to orchestrate a targeted wiper attack against systems linked to Iran.

Supply Chain Attack and Geo-Targeted Wiper

On March 19, 2026, TeamPCP escalated its activities with a supply chain attack targeting Trivy, a widely adopted vulnerability scanner developed by Aqua Security. The attackers successfully injected credential-stealing malware into official GitHub Actions releases. This malicious payload was designed to harvest critical information, including SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallet details from unsuspecting users.

Although the compromised files were eventually removed, significant damage had already occurred. Over the weekend of March 22-23, the group deployed a new, highly destructive payload. This wiper malware is specifically engineered to activate when the victim system is configured for Iran’s timezone or has Farsi set as its default language.

Charlie Eriksen, a security researcher at Aikido, elaborated on the wiper’s functionality, explaining that if a Kubernetes cluster is detected on an Iranian system, the malware will proceed to destroy data across every node within that cluster. In the absence of a cluster, it will simply wipe the local machine. This precise geographic targeting signifies a notable evolution in threat design, highlighting that financially motivated groups are now incorporating geo-specific logic to pursue both financial and politically charged objectives. Eriksen also noted that TeamPCP continued to boast on Telegram, claiming access to sensitive records from a major multinational pharmaceutical company.

CanisterWorm wiper snippet targeting Iran timezone systems (Source - KrebsonSecurity)
CanisterWorm wiper snippet targeting Iran timezone systems (Source – KrebsonSecurity)

The image above illustrates a segment of the malicious CanisterWorm code designed to target systems based on Iran’s timezone or Farsi language settings.

Blockchain-Backed Command Infrastructure

A particularly innovative and concerning aspect of CanisterWorm’s operation is TeamPCP’s utilization of the Internet Computer Protocol (ICP) canisters for its command and control infrastructure. These blockchain-based smart contracts integrate both code and data into a single, tamper-resistant unit. ICP canisters possess the capability to directly serve web content to users and, critically, their operation on a distributed blockchain network makes them exceptionally resilient to traditional takedown efforts.

Infrastructure overview (Source - KrebsonSecurity)
Infrastructure overview (Source – KrebsonSecurity)

As long as the operators continue to cover the necessary virtual currency fees, these canisters remain online and active. The provided infrastructure overview, documented by Aikido, clearly depicts CanisterWorm’s ICP canister deployment.

This blockchain-anchored command structure effectively bypasses conventional malware takedown strategies, which typically involve seizing servers. Law enforcement and hosting providers find their usual methods largely ineffective against such a distributed and resilient architecture. Furthermore, TeamPCP has demonstrated a remarkable agility in modifying its payload, frequently adding new features, temporarily withdrawing the malware, and even redirecting the canister to unrelated content, such as YouTube videos, between attack phases. This continuous adaptation and refinement of their tools in real-time significantly complicates detection and containment efforts for cybersecurity defenders.

What You Should Do

  • Immediately audit all Docker, Kubernetes, and Redis configurations in cloud environments for exposed APIs and unauthenticated access points.
  • Promptly rotate all SSH keys, cloud credentials, and Kubernetes tokens, especially if Aqua Security’s Trivy or KICS was integrated into your CI/CD pipelines between March 19 and March 23, 2026.
  • Implement robust monitoring solutions to detect lateral movement within your containerized environments and unusual locale-based system behaviors.
  • GitHub repository owners must thoroughly review their Actions workflows for any unauthorized modifications and enforce stringent access controls on cloud control planes to minimize exposure to groups like TeamPCP.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreatVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical n8n RCE Vulnerability (CVE-2024-29023) Patched

Next Post

Critical Vim CVE-2024-XXXX vulnerability allows arbitrary command execution

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us