Overview
- Security researchers say TeamPCP used its CanisterWorm setup over the weekend to push a wiper that triggers only on systems set to Iran’s timezone or Farsi locale.
- In Kubernetes, software that runs apps across many servers, the script creates a DaemonSet named Host-provisioner-iran that launches Alpine “kamikaze” pods to delete top folders on each node and force a reboot.
- On clusters outside Iran, the same method drops a Python backdoor onto the host and installs it as a systemd service so it survives restarts.
- On Iranian machines without Kubernetes, the malware runs a full wipe command, and a newer build spreads by SSH using stolen keys with telltale signs like StrictHostKeyChecking=no and scans for open Docker APIs on port 2375.
- Analysts link the activity to the recent Trivy supply-chain breach and to an ICP canister control server that resists takedown, while KrebsOnSecurity and Aikido report the attackers kept toggling the payload and its impact remains unclear.