{ "Event": { "analysis": "1", "date": "2026-03-22", "extends_uuid": "", "info": "[Threat Intel] CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran", "protected": false, "publish_timestamp": "1775507893", "published": true, "threat_level_id": "2", "timestamp": "1775507892", "uuid": "9f5b90e2-0231-4ee6-82a5-e94427146a9d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#95f9b9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Sudo and Sudo Caching - T1548.003\"", "relationship_type": "" }, { "colour": "#da180c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bootkit - T1542.003\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#d16319", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Implant Internal Image - T1525\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#474886", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic Linker Hijacking - T1574.006\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#8ee4ab", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Deployment Tools - T1072\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#b596f0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Lateral Tool Transfer - T1570\"", "relationship_type": "" }, { "colour": "#37ffb5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Denial of Service - T1498\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#20a667", "local": false, "name": "misp-galaxy:target-information=\"Iran\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774407618", "to_ids": false, "type": "link", "uuid": "58a4ed40-93b7-4f87-a36d-684ac7f5f9b2", "value": "https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774407618", "to_ids": false, "type": "text", "uuid": "81b27cdd-b11d-4c8d-9e7f-17949f781996", "value": "A new payload in the TeamPCP arsenal has been discovered, capable of wiping entire Kubernetes clusters. The script uses the same ICP canister as the CanisterWorm campaign, with consistent lateral movement via DaemonSets. However, this variant introduces a geopolitically targeted destructive payload aimed specifically at Iranian systems. The malware checks timezone and locale to identify Iranian systems, deploying privileged DaemonSets across every node in Kubernetes environments. Iranian nodes are wiped and force-rebooted, while non-Iranian nodes receive the CanisterWorm backdoor. The latest variant adds network-based lateral movement, exploiting exposed Docker APIs and using SSH for spread. This development shows TeamPCP's ability to operate at supply chain scale and their willingness to engage in destructive actions." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774407618", "to_ids": false, "type": "text", "uuid": "75728da0-1f50-4e52-93dd-936e1da67835", "value": "Name: CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"docker api\", \"canisterworm\", \"kubernetes\", \"daemonset\", \"wiper\"]\nTgtd countries: [\"Iran, Islamic Republic of\"]\nMlwr families: [\"CanisterWorm\"]\nAttack_ids: [\"T1133\", \"T1548.003\", \"T1542.003\", \"T1082\", \"T1190\", \"T1525\", \"T1552.004\", \"T1574.006\", \"T1087\", \"T1059\", \"T1083\", \"T1072\", \"T1562.001\", \"T1078\", \"T1573\", \"T1570\", \"T1498\", \"T1105\", \"T1569.002\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774407618", "to_ids": false, "type": "threat-actor", "uuid": "721e7e31-817f-476f-b465-4962f76c1363", "value": "TeamPCP" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490628", "to_ids": true, "type": "url", "uuid": "28100c46-63c0-4295-becf-f4cc8cbf5c9b", "value": "https://championships-peoples-point-cassette.trycloudflare.com/prop.py", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490649", "to_ids": true, "type": "url", "uuid": "967f1655-e295-45a2-9145-557bf6c207da", "value": "https://souls-entire-defined-routes.trycloudflare.com/kamikaze.sh", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490671", "to_ids": true, "type": "url", "uuid": "bc534612-5473-43d7-9ffd-79cd3391ceea", "value": "https://souls-entire-defined-routes.trycloudflare.com/kube.py", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490692", "to_ids": true, "type": "hostname", "uuid": "0c2ddb29-759c-40c0-8bf7-c1d6efa5ac07", "value": "championships-peoples-point-cassette.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490713", "to_ids": true, "type": "hostname", "uuid": "f319298a-6c11-4a69-84f7-cdc79880b8e7", "value": "investigation-launches-hearings-copying.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490734", "to_ids": true, "type": "hostname", "uuid": "d1e69a97-bae0-44d2-985f-fef832687636", "value": "souls-entire-defined-routes.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490755", "to_ids": true, "type": "hostname", "uuid": "a1acae9d-efbf-4103-8915-73f66496042c", "value": "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490777", "to_ids": true, "type": "url", "uuid": "b7ba7c13-58ce-4bab-a856-b5247ece67cf", "value": "https://souls-entire-defined-routes.trycloudflare.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490798", "to_ids": true, "type": "url", "uuid": "2e9c53df-ad09-41bc-b2bb-be83c13d6c37", "value": "https://investigation-launches-hearings-copying.trycloudflare.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775490819", "to_ids": true, "type": "url", "uuid": "3fdbfbe8-690b-4801-9959-de9cd71df02f", "value": "https://championships-peoples-point-cassette.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ] } }