Defending Against TeamPCP’s CanisterWorm: A Guide to Detecting and Mitigating Cloud-Native Wiper Attacks

Overview

In late 2025, the cybercrime group TeamPCP launched a sophisticated wiper campaign targeting systems in Iran. Their tool, dubbed CanisterWorm by researchers, uses a blockchain-based command-and-control (C2) infrastructure—an Internet Computer Protocol (ICP) canister—to orchestrate attacks. The worm spreads through poorly secured cloud services like exposed Docker APIs, Kubernetes clusters, Redis servers, and exploits the React2Shell vulnerability. Once inside, it moves laterally, steals credentials, and ultimately wipes data on any machine that matches Iran’s time zone or has Farsi as the default language. This guide explains the attack chain, outlines prerequisites for understanding it, and provides step-by-step defensive measures. By following these recommendations, security teams can reduce their exposure to similar cloud-native threats.

Prerequisites

Before diving into the technical details, you should have:

• A solid understanding of cloud infrastructure (AWS, Azure, GCP) and common misconfigurations.
• Familiarity with Docker, Kubernetes, and container orchestration.
• Basic knowledge of network security, lateral movement, and credential theft.
• Awareness of the React2Shell vulnerability (CVE-2023-22960) and its impact on Jenkins and related tools.
• Experience with security monitoring tools like vulnerability scanners (Trivy, Wiz, Aikido).

Step-by-Step Defensive Guide

1. Understand the Attack Chain

TeamPCP’s CanisterWorm follows a multi-stage attack pattern:

1. Initial Compromise: The worm scans the internet for exposed Docker APIs, Kubernetes APIs, Redis servers without authentication, and targets the React2Shell vulnerability. Once found, it deploys itself and establishes a foothold.
2. Lateral Movement: Using stolen credentials (obtained via keylogging, credential dumping, or from the ICP canister), the worm moves across the network, compromising additional cloud resources.
3. Payload Delivery: The worm downloads the wiper component from the ICP canister only when the system’s time zone matches Iran (UTC+3:30) or the default language is Farsi. For Kubernetes clusters, it destroys data on all nodes; otherwise, it wipes the local machine.
4. Exfiltration and Extortion: Before wiping data, TeamPCP may exfiltrate sensitive files and then demand payment via Telegram to avoid destruction—though the wiper runs regardless in targeting scenarios.

2. Secure Exposed Cloud Services

The worm exploits misconfigurations in Docker, Kubernetes, and Redis. Follow these hardening steps:

• Docker API: Never expose the Docker daemon socket (unix:///var/run/docker.sock) over TCP without TLS. Use mutual authentication and restrict API access to trusted IPs.
• Kubernetes API: Enable RBAC, use network policies, and ensure the API server is not publicly accessible. Employ authenticated proxies or VPNs for remote management.
• Redis: Bind Redis to localhost or a private network; require authentication with a strong password and disable the CONFIG SET command if not needed.
• React2Shell: Patch Jenkins and related software immediately. Disable unnecessary plugins and use a web application firewall to block known exploit patterns.

3. Monitor for Anomalous Activity

TeamPCP’s infrastructure relies on ICP canisters, which generate unique blockchain transactions. Look for:

• Unusual outbound connections to ICP nodes or canister endpoints (e.g., ic0.app).
• Large numbers of failed authentication attempts on cloud consoles.
• Unexpected Docker or Kubernetes API calls from public IP ranges.
• Tools like Flare and Aikido can help detect the worm’s signatures—integrate them into your SIEM.

4. Protect Against Supply Chain Attacks

TeamPCP executed a supply chain attack on Trivy by injecting malicious code into GitHub Actions. To defend:

• Pin third-party actions and container images to specific versions and hashes.
• Scan all pulled images using a trusted scanner before deployment.
• Use GitHub’s secret scanning and Dependabot alerts to detect compromised dependencies.
• Regularly audit your CI/CD pipeline for unauthorized changes.

5. Implement Timezone and Locale Monitoring

The wiper activates only when the system’s timezone is Iran (Asia/Tehran) or locale is Farsi. While you may not control all endpoints, you can:

• Deploy endpoint detection agents that flag processes reading timezone or locale settings and then performing destructive actions.
• Use behavioral rules: if a process like rm -rf or shred is launched shortly after checking /etc/timezone, it’s suspicious.
• Sandbox any application that attempts to enumerate locale information.

6. Develop Incident Response Plans

If you suspect a CanisterWorm infection:

1. Isolate affected systems immediately to prevent lateral movement.
2. Disconnect cloud environments from the internet while preserving forensic evidence.
3. Take snapshots of compromised containers and volumes for analysis.
4. Rotate all credentials and revoke any tokens that may have been stolen.
5. Notify law enforcement and your security vendor (e.g., Aqua Security, Wiz, Aikido).

Common Mistakes

• Leaving default credentials: Many compromised servers used default or weak passwords for Docker and Redis. Always change defaults.
• Ignoring cloud misconfiguration: Exposing APIs without authentication is a primary entry point. Regularly scan with tools like ScoutSuite or Prowler.
• Neglecting supply chain hygiene: The Trivy attack succeeded because organizations trusted unsigned releases. Verify all third-party software.
• Assuming wipers only target your region: Even if your org isn’t in Iran, the worm might still infect your environment and then lay dormant until conditions match. Monitor all endpoints.
• Relying solely on signature-based detection: CanisterWorm uses polymorphic payloads delivered via blockchain—behavioral analysis is essential.

Summary

The CanisterWorm campaign by TeamPCP shows how cybercriminals combine cloud misconfigurations, supply chain compromise, and blockchain-based C2 to deliver targeted wiper attacks. By hardening exposed services, monitoring for ICP canister activity, securing CI/CD pipelines, and implementing timezone-aware behavioral detection, organizations can drastically reduce the risk of such attacks. The key takeaway: automation and integration of well-known techniques amplify the damage—stay vigilant and patch proactively.