Researchers from security firm Flare observed the newly identified group, TeamPCP, in December as they targeted unsecured cloud-hosted platforms with an initial worm. The campaign aimed to establish a distributed scanning infrastructure for data exfiltration, ransomware deployment, and cryptocurrency mining.
Recently, TeamPCP launched an aggressive campaign using malware that can self-propagate without user interaction. They compromised the Trivy vulnerability scanner by gaining access to Aqua Security's GitHub account. The worm then spread to 28 packages within a minute, demonstrating its rapid infection capabilities.
The malware, named CanisterWorm, uses an Internet Computer Protocol-based canister for control, allowing attackers to switch URLs at any time. This feature made it challenging for defenders to disable or mitigate the threat. However, researchers noted that the canister was taken down on a Sunday night, rendering this mechanism ineffective.
More concerning is CanisterWorm's new payload—a data wiper targeting systems in Iran. The malware checks if a machine is located in Iranian time zones or configured for use there; upon detection, it triggers a wiping mechanism called Kamikaze, which could cause significant damage.