https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran
The cybercrime group TeamPCP — already linked to a string of high-profile software supply chain attacks — has pivoted toward geopolitical disruption, deploying a destructive wiper payload designed to erase data on systems belonging to Iranian users. The wiper activates if it detects that a victim’s timezone and language settings correspond to Iran, and if the infected system has access to a Kubernetes cluster, it will destroy data across every server in that cluster — otherwise wiping just the local machine. Security researchers at Aikido, who first reported the campaign, noted the malicious payload was only active for a short window over the weekend and was rapidly modified by the attackers as events unfolded.
TeamPCP delivered the wiper using the same technical infrastructure from its earlier attack on Aqua Security’s Trivy vulnerability scanner, which had already been used to steal SSH keys, cloud credentials, Kubernetes tokens, and cryptocurrency wallets from downstream users. The group operates what researchers call “CanisterWorm” — a self-propagating worm that spreads through poorly secured cloud services and is orchestrated using blockchain-based smart contracts, making it highly resistant to takedown attempts. Security firm Flare previously described TeamPCP’s approach as industrialising well-known attack techniques into a cloud-native exploitation platform, with Azure and AWS accounting for 97% of compromised servers.
Researchers warn the group appears emboldened and in possession of far more stolen access than has been publicly disclosed. Members have been bragging on Telegram about compromising a large multinational pharmaceutical firm, and after breaching Aqua Security a second time, began spamming GitHub with junk messages — behaviour researchers interpreted as the group showing off the scale of its credential stockpile.