HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Iran‑Targeted Kubernetes Wiper Deployed by TeamPCP Threatens Global Cloud Environments

TeamPCP released a geopolitically‑focused wiper that wipes Iranian‑configured hosts and installs backdoors on other Kubernetes nodes. The campaign reuses the CanisterWorm C2 infrastructure and adds SSH‑based propagation, raising the risk for any third‑party cloud provider running Kubernetes workloads.

🛡️ LiveThreat™ Intelligence · 📅 March 24, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Iran‑Targeted Kubernetes Wiper Deployed by TeamPCP Threatens Global Cloud Environments

What Happened – The TeamPCP threat group released a new malicious script that scans for systems configured for Iran. When the script detects an Iranian timezone/locale it deploys a privileged DaemonSet that wipes the host filesystem and forces a reboot. Non‑Iranian Kubernetes nodes receive a back‑door‑installing DaemonSet, while non‑Kubernetes Iranian hosts are wiped via a destructive rm -rf / --no‑preserve‑root command.

Why It Matters for TPRM

  • The payload can eradicate data and disrupt services across any cloud‑native environment that runs Kubernetes, exposing third‑party risk for SaaS and IaaS providers.
  • The same C2 infrastructure is reused from the prior CanisterWorm supply‑chain attack, indicating a persistent threat actor capable of pivoting across multiple vendors.
  • Geopolitical targeting means organizations with Iranian users or subsidiaries face a higher likelihood of being hit, requiring geo‑based risk controls.

Who Is Affected – Cloud‑infrastructure providers, SaaS platforms, managed‑service providers, and any enterprise that runs Kubernetes clusters (tech, finance, healthcare, etc.).

Recommended Actions

  • Review all third‑party contracts for Kubernetes hosting and confirm they enforce geo‑blocking and strict IAM policies.
  • Verify that Kubernetes clusters are not running privileged DaemonSets and that host‑filesystem mounts are prohibited.
  • Deploy endpoint detection that monitors for the “Host‑provisioner‑iran” DaemonSet and the “kamikaze” pod name.
  • Ensure SSH hardening and credential rotation to block the newer SSH‑propagation variant.

Technical Notes – The attack uses the same ICP canister backdoor (tdtqy‑oyaaa‑aaaae‑af2dq‑cai.raw.icp0.io) as the CanisterWorm campaign. Lateral movement is achieved via privileged DaemonSets that mount the host root (/mnt/host). On non‑Iranian nodes the script drops a Python backdoor as a systemd service. A later variant abandons Kubernetes and spreads via SSH, harvesting valid credentials from auth logs and stolen private keys. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/teampcp-deploys-iran-targeted-wiper-in-kubernetes-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →