{"id":5413,"date":"2025-08-31T20:45:18","date_gmt":"2025-08-31T20:45:18","guid":{"rendered":"https:\/\/lockitsoft.com\/?p=5413"},"modified":"2025-08-31T20:45:18","modified_gmt":"2025-08-31T20:45:18","slug":"teampcp-targets-iran-with-data-wiping-worm-exploits-cloud-vulnerabilities","status":"publish","type":"post","link":"https:\/\/lockitsoft.com\/?p=5413","title":{"rendered":"TeamPCP Targets Iran with Data-Wiping Worm, Exploits Cloud Vulnerabilities"},"content":{"rendered":"

A financially motivated cybercrime syndicate known as TeamPCP has escalated its operations by unleashing a sophisticated data-wiping worm that targets systems in Iran, exploiting vulnerabilities in cloud infrastructure. This new offensive, which materialized over the past weekend, appears to be an attempt by the group to capitalize on geopolitical tensions, leveraging a self-propagating worm designed to erase data on systems configured with Iran’s time zone or Farsi as the default language. The campaign underscores the growing threat of sophisticated cyberattacks targeting cloud environments and the increasing use of supply chain compromises by malicious actors.<\/p>\n

TeamPCP’s modus operandi centers on the large-scale automation and integration of known attack techniques, rather than the development of novel exploits or malware. Security firm Flare, in a profile published in January, detailed how the group weaponizes exposed control planes within cloud environments, predominantly targeting infrastructure like Microsoft Azure (61% of compromises) and Amazon Web Services (AWS) (36%), which together account for 97% of their compromised servers. This focus on cloud infrastructure over end-user devices allows TeamPCP to gain broad access and propagate their attacks with significant speed and efficiency.<\/p>\n

"TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques," wrote Assaf Morag of Flare in a detailed analysis. "The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem." This approach allows them to rapidly compromise systems by identifying and exploiting common misconfigurations and readily available vulnerabilities within cloud service providers.<\/p>\n

A Timeline of Escalation: From Data Theft to Data Wiping<\/h3>\n

The recent wiper campaign against Iran is not TeamPCP’s first foray into disruptive cyber activity. The group first gained attention in December 2025 when it began compromising corporate cloud environments. Their initial attack vector involved a self-propagating worm that specifically targeted exposed Docker APIs, Kubernetes clusters, and Redis servers. The group also exploited the React2Shell vulnerability, a critical flaw in web applications that allows for remote code execution.<\/p>\n

Once inside victim networks, TeamPCP’s objective was clear: lateral movement to siphon authentication credentials. The group then leveraged Telegram to extort their victims, demanding ransom payments in exchange for the decryption of stolen data and the promise of not leaking sensitive information. This pattern of data theft followed by extortion has become a hallmark of financially motivated cybercrime groups.<\/p>\n

A significant turning point in TeamPCP’s operational history occurred on March 19th, when the group executed a supply chain attack against Trivy, a popular open-source vulnerability scanner developed by Aqua Security. This attack involved injecting credential-stealing malware into official releases of Trivy available on GitHub Actions. While Aqua Security has since removed the malicious files, the security firm Wiz noted that attackers successfully published tainted versions of Trivy that were capable of exfiltrating sensitive information, including SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets from unsuspecting users.<\/p>\n

This supply chain compromise of Trivy, a tool widely used by developers and security professionals to identify vulnerabilities in code and container images, highlighted the significant risk associated with the software supply chain. The compromise meant that any system that updated or ran the compromised version of Trivy could inadvertently install malware, creating a cascading effect of potential infections.<\/p>\n

The "CanisterWorm" and its Iranian Focus<\/h3>\n

The technical infrastructure that TeamPCP utilized in the Trivy attack was subsequently repurposed for the recent wiper campaign targeting Iran. Charlie Eriksen, a security researcher at Aikido, detailed these findings in a blog post published on Sunday. Eriksen explained that the new malicious payload, which Aikido refers to as "CanisterWorm," is designed to detect if a victim’s system is configured with Iran’s time zone or has Farsi set as the default language.<\/p>\n

If these conditions are met, the worm initiates a data-wiping operation. The severity of the attack escalates if the victim has access to a Kubernetes cluster. In such cases, the wiper component is designed to destroy data across every node within that cluster. "If it doesn’t [detect a Kubernetes cluster], it will just wipe the local machine," Eriksen stated in an interview.<\/p>\n

\"\u2018CanisterWorm\u2019<\/figure>\n

The term "CanisterWorm" is derived from TeamPCP’s orchestration of their campaigns through an Internet Computer Protocol (ICP) canister. These canisters are tamperproof, blockchain-based "smart contracts" that combine code and data, offering a high degree of resilience against takedown attempts. Their distributed architecture ensures they remain accessible as long as their operators continue to pay the necessary virtual currency fees. This reliance on ICP canisters provides TeamPCP with a robust and difficult-to-disrupt command and control infrastructure.<\/p>\n

Bragging Rights and GitHub Exploitation<\/h3>\n

Evidence suggests that the individuals behind TeamPCP are actively boasting about their exploits on a private Telegram group. They claim to have used the worm to steal vast amounts of sensitive data from prominent organizations, including a large multinational pharmaceutical firm. This self-promotion not only highlights the group’s perceived success but also serves as a warning to potential victims and the broader cybersecurity community.<\/p>\n

Eriksen further noted that following the second compromise of Aqua Security, TeamPCP gained access to numerous GitHub accounts. These accounts were subsequently used to spam repositories with junk messages. "It was almost like they were just showing off how much access they had," Eriksen commented. "Clearly, they have an entire stash of these credentials, and what we\u2019ve seen so far is probably a small sample of what they have."<\/p>\n

Security experts believe these spammed GitHub messages could be a deliberate tactic by TeamPCP to artificially inflate the visibility of their malicious code packages. By pushing meaningless commits or utilizing services that sell GitHub "stars" and "likes," attackers aim to keep their tainted packages at the top of GitHub search results, increasing the likelihood of unsuspecting users discovering and downloading them. This practice raises concerns about the integrity of code repositories and the potential for widespread compromise through seemingly legitimate channels.<\/p>\n

Broader Implications for Software Supply Chain Security<\/h3>\n

The recent outbreak is not an isolated incident for Trivy. This marks the second major supply chain attack involving the vulnerability scanner in as many months. At the end of February, Trivy was targeted as part of an automated threat known as HackerBot-Claw, which exploited misconfigured workflows in GitHub Actions to steal authentication tokens. The frequency of such attacks underscores a growing trend of threat actors exploiting the interconnected nature of software development and distribution.<\/p>\n

It appears that TeamPCP leveraged the access gained from the initial compromise of Aqua Security to perpetrate the subsequent wiper attack. However, Eriksen cautioned that there is no definitive way to confirm whether the wiper successfully erased data from any victim systems. The malicious payload was reportedly active for only a short period over the weekend, and the group has been observed rapidly deploying and retracting their malicious code, adding new features and functionalities.<\/p>\n

"They\u2019ve been taking [the malicious code] up and down, rapidly changing it adding new features," Eriksen observed. He also noted that when the malicious canister was not distributing malware, it was redirecting visitors to a Rick Roll video on YouTube, adding a layer of what he described as "Chaotic Evil" playfulness to their operations. "It\u2019s a little all over the place, and there\u2019s a chance this whole Iran thing is just their way of getting attention," Eriksen speculated.<\/p>\n

Catalin Cimpanu, a reporter for Risky Business, highlighted in a recent newsletter titled "GitHub is Starting to Have a Real Malware Problem" that supply chain attacks are increasing in frequency. He documented an alarming number of such incidents since 2024, emphasizing the need for enhanced security measures on platforms like GitHub. "While security firms appear to be doing a good job spotting this, we\u2019re also gonna need GitHub\u2019s security team to step up," Cimpanu wrote. "Unfortunately, on a platform designed to copy (fork) a project and create new versions of it (clones), spotting malicious additions to clones of legitimate repos might be quite the engineering problem to fix."<\/p>\n

Expanding the Attack Surface: KICS Vulnerability Scanner<\/h3>\n

In an update on March 23rd, Wiz reported that TeamPCP had extended its reach by compromising the KICS (Keeping Infrastructure as Code Secure) vulnerability scanner, developed by Checkmarx. The attackers injected credential-stealing malware into KICS’s GitHub Action. This compromise occurred between 12:58 and 16:50 UTC on March 23rd, further demonstrating TeamPCP’s persistent efforts to infiltrate widely used security tools and exploit the software supply chain.<\/p>\n

The implications of these repeated supply chain attacks are far-reaching. They not only endanger the users of the compromised tools but also create a domino effect, potentially infecting a vast number of systems and networks that rely on these security solutions. The incident highlights the critical need for continuous vigilance, robust security practices, and enhanced collaboration between software vendors, cloud providers, and cybersecurity researchers to mitigate these evolving threats. The financial motives behind TeamPCP, coupled with their increasingly sophisticated tactics, position them as a significant actor in the evolving landscape of cybercrime.<\/p>\n","protected":false},"excerpt":{"rendered":"

A financially motivated cybercrime syndicate known as TeamPCP has escalated its operations by unleashing a sophisticated data-wiping worm that targets systems in Iran, exploiting vulnerabilities in cloud infrastructure. This new offensive, which materialized over the past weekend, appears to be an attempt by the group to capitalize on geopolitical tensions, leveraging a self-propagating worm designed …<\/p>\n","protected":false},"author":5,"featured_media":5412,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108],"tags":[72,109,352,603,388,111,110,804,883,365,884,885],"class_list":["post-5413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-protection","tag-cloud","tag-cybersecurity","tag-data","tag-exploits","tag-iran","tag-privacy","tag-security","tag-targets","tag-teampcp","tag-vulnerabilities","tag-wiping","tag-worm"],"_links":{"self":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/5413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5413"}],"version-history":[{"count":0,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/5413\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/media\/5412"}],"wp:attachment":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}