Digital Event Horizon
A new hacking group has been rampaging the internet with a self-propagating malware that targets Iranian machines, causing concern about potential large-scale impact if it achieves active spread. Read more about TeamPCP's latest campaign and how to protect yourself from this emerging threat.
TeamPCP, a mysterious hacking group, has been spreading CanisterWorm malware across various platforms, compromising systems and sensitive information. CanisterWorm targets organizations' CI/CD pipelines used for rapid development and deployment of software, using an Internet Computer Protocol-based canister to evade detection. The worm infects machines every 50 minutes, making it difficult for researchers to contain, and has a wiper payload that targets machines exclusively in Iran. TeamPCP's actions may be an attempt to draw attention to their group, as they have historically been financially motivated, but with no clear connection to monetary profit. Development organizations should conduct regular security audits, ensure software updates are properly installed, and implement robust security measures to prevent unauthorized access.
In a recent series of high-profile attacks, a mysterious hacking group known as TeamPCP has been wreaking havoc on the global internet, leaving a trail of compromised systems and sensitive information in its wake. At the heart of this campaign is a self-propagating malware dubbed CanisterWorm, which has been spreading rapidly across various platforms, including cloud-hosted services and open-source software repositories.
According to researchers from security firm Aikido, TeamPCP first gained visibility in December last year when they unleashed a worm that targeted cloud-hosted platforms that weren't properly secured. The objective was to build a distributed proxy and scanning infrastructure, which would then be used to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency.
However, it soon became apparent that TeamPCP's skills in large-scale automation and integration of well-known attack techniques far surpassed expectations. They managed to exploit vulnerabilities in widely used Trivy vulnerability scanner, a supply-chain attack that left Aqua Security reeling. This was followed by a series of supply-chain compromises that targeted organizations' CI/CD pipelines used for rapid development and deployment of software.
CanisterWorm, as Aikido has named the malware, targets organizations' CI/CD pipelines used for rapid development and deployment of software. It uses an Internet Computer Protocol-based canister, a form of self-enforcing smart contract designed to be impossible for third parties to take down or alter. This mechanism allows the worm to point to ever-changing URLs for servers hosting malicious binaries, giving attackers the ability to constantly swap out URLs at any time.
Infected machines reported to the canister once every 50 minutes, creating a situation where even if an attacker lost access to the initial compromised machine, it would still be able to re-infect new systems automatically. This worm-like behavior made it extremely difficult for researchers and security experts to contain.
But what makes CanisterWorm particularly concerning is its addition of a wiper payload that targets machines exclusively in Iran. Researchers observed that when the updated worm infects machines, it checks if the machine is in the Iranian timezone or is configured for use in that country. If either condition was met, the malware no longer activated the credential stealer and instead triggered the novel wiper named Kamikaze.
According to Aikido researcher Charlie Eriksen, "The CanisterWorm campaign appears to be a direct extension of the initial Trivy compromise rather than a separate operation." This suggests that TeamPCP may be attempting to send a message or draw attention to their group's activities. Historically, TeamPCP has been financially motivated; however, with no clear connection to monetary profit, Eriksen posits that there might be an ideological component.
With the ability to worm its way through sensitive developer pipelines and machines, CanisterWorm represents a serious escalation of TeamPCP's campaign to steal as many credentials as possible. Development organizations should realize that they may have been affected without knowing it. Both Aikido and Socket have published indicators that these organizations can use to determine if they have been targeted or compromised.
The fact that TeamPCP has chosen to target an organization in a country currently at war with the US raises questions about their motivations. Is this an attempt to draw attention to their group, or is there something more sinister at play? Whatever the reason, one thing is clear: CanisterWorm and TeamPCP's activities pose a significant threat to global cybersecurity.
To stay ahead of such threats, development organizations must be vigilant in protecting themselves from these types of attacks. They should conduct regular security audits, ensure that all software updates are properly installed, and implement robust security measures to prevent unauthorized access to sensitive systems.
As the cyber threat landscape continues to evolve at breakneck speed, it is imperative for individuals, organizations, and governments to work together to stay informed about emerging threats like CanisterWorm. Only through collective awareness and cooperation can we hope to mitigate the damage caused by this kind of self-propagating malware.
Related Information:
https://www.digitaleventhorizon.com/articles/A-Global-Cyber-Threat-The-Rampage-of-TeamPCPs-Self-Propagating-Malware-deh.shtml
https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
Published: Tue Mar 24 10:02:52 2026 by llama3.2 3B Q4_K_M
