{"id":226724,"date":"2026-03-23T11:53:00","date_gmt":"2026-03-23T15:53:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/23\/canisterworm-springs-wiper-attack-targeting-iran-krebs-on-security\/"},"modified":"2026-03-23T12:27:35","modified_gmt":"2026-03-23T16:27:35","slug":"canisterworm-springs-wiper-attack-targeting-iran-krebs-on-security","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/23\/canisterworm-springs-wiper-attack-targeting-iran-krebs-on-security\/","title":{"rendered":"\u2018CanisterWorm\u2019 Springs Wiper Attack Targeting Iran \u2013 Krebs on Security"},"content":{"rendered":"<p><a href=\"https:\/\/krebsonsecurity.com\/2026\/03\/canisterworm-springs-wiper-attack-targeting-iran\/\">\u2018CanisterWorm\u2019 Springs Wiper Attack Targeting Iran \u2013 Krebs on Security<\/a><\/p>\n<p><a href=\"https:\/\/krebsonsecurity.com\/2026\/03\/canisterworm-springs-wiper-attack-targeting-iran\/\">https:\/\/krebsonsecurity.com\/2026\/03\/canisterworm-springs-wiper-attack-targeting-iran\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-23 11:53:00<\/a><\/p>\n<p>Source Domain: <a href=\"krebsonsecurity.com\">krebsonsecurity.com<\/a><\/p>\n<p>A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran\u2019s time zone or have Farsi set as the default language.<\/p>\n<p>Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as <strong>TeamPCP<\/strong>. In December 2025, the group began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.<\/p>\n<p id=\"caption-attachment-73375\" class=\"wp-caption-text\">A snippet of the malicious CanisterWorm that seeks out and destroys data on systems that match Iran\u2019s timezone or have Farsi as the default language. Image: Aikido.dev.<\/p>\n<p>In a profile of TeamPCP published in January, the security firm <strong>Flare<\/strong>\u00a0said the group weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.<\/p>\n<p>\u201cTeamPCP\u2019s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,\u201d Flare\u2019s <strong>Assaf Morag<\/strong> wrote. \u201cThe group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.\u201d<\/p>\n<p>On March 19, TeamPCP executed a supply chain attack against the vulnerability scanner <strong>Trivy<\/strong> from <strong>Aqua Security<\/strong>, injecting credential-stealing malware into official releases on GitHub actions. Aqua Security said it has since removed the harmful files, but the security firm Wiz notes the attackers were able to publish malicious&#8230;<\/p>\n<p><a href=\"https:\/\/krebsonsecurity.com\/2026\/03\/canisterworm-springs-wiper-attack-targeting-iran\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u2018CanisterWorm\u2019 Springs Wiper Attack Targeting Iran \u2013 Krebs on Security https:\/\/krebsonsecurity.com\/2026\/03\/canisterworm-springs-wiper-attack-targeting-iran\/ Publish Date: 2026-03-23 11:53:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":226725,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/03\/aikido-iranwiper.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,27],"class_list":["post-226724","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226724"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=226724"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226724\/revisions"}],"predecessor-version":[{"id":226726,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226724\/revisions\/226726"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/226725"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=226724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=226724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=226724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}