Iran-Targeted Wiper Discovered in Kubernetes Attacks by TeamPCP

New campaign blends supply-chain tactics with geopolitically targeted destruction inside cloud-native environments.

A new wave of cyberattacks targeting Kubernetes environments has revealed a dangerous shift in attacker intent. The threat group known as TeamPCP is now deploying a highly selective wiper malware that triggers destructive actions specifically against systems configured for Iran. Meanwhile, systems outside this target region are quietly backdoored for persistence and future exploitation.

This campaign builds on TeamPCP’s earlier operations, including the supply-chain compromise of the Trivy vulnerability scanner and the NPM-based CanisterWorm malware. However, this latest variant introduces a new dimension—geopolitically aware payload execution.

Researchers identified that the malware reuses the same command-and-control (C2) infrastructure, backdoor logic, and drop paths observed in earlier attacks. However, it now incorporates logic to check system timezone and locale. As a result, it distinguishes between Iranian and non-Iranian systems before executing its payload.

If a system matches Iran’s regional configuration and runs Kubernetes, the malware deploys a malicious DaemonSet named “Host-provisioner-iran” within the kube-system namespace. This DaemonSet leverages privileged containers to mount the host’s root filesystem. Each deployed pod runs an Alpine-based container, ominously named “kamikaze,” which deletes critical directories on the host system and forces a reboot. This process effectively wipes the machine.

On the other hand, if Kubernetes is present but the system does not match Iranian settings, the malware avoids destruction. Instead, it installs a persistent Python-based backdoor using systemd services across nodes. This approach ensures long-term access and lateral movement within the cluster.

Furthermore, in environments without Kubernetes, the malware still executes destructive commands if the system is identified as Iranian. It attempts to delete all accessible files using aggressive commands, even trying privilege escalation through passwordless sudo when necessary.

Meanwhile, a newer variant of the malware has shifted tactics again. Rather than relying solely on Kubernetes-based propagation, it now uses SSH-based lateral movement. By parsing authentication logs, the malware extracts valid credentials and leverages stolen SSH keys to spread across systems.

Several indicators highlight this activity. These include unusual outbound SSH connections with disabled host key verification, suspicious access to Docker APIs over port 2375, and the deployment of privileged containers with host filesystem mounts.

Why This Matters

This campaign signals a clear evolution in cyber threat strategy. Attackers are no longer deploying generic payloads. Instead, they are embedding geopolitical logic into malware, enabling selective destruction while preserving access elsewhere.

For organizations operating in cloud-native environments, especially across multiple regions, this raises serious concerns. Misconfigured Kubernetes clusters, exposed Docker APIs, and weak credential management can quickly become entry points for such advanced threats.

Additionally, the use of supply-chain attacks combined with infrastructure-level compromise demonstrates how attackers are chaining multiple techniques to maximize impact.

Security Takeaways

Organizations should take immediate steps to strengthen their Kubernetes and infrastructure security posture:

• Restrict access to Kubernetes APIs and enforce strong authentication
• Disable unauthenticated Docker API access (port 2375)
• Monitor for unusual DaemonSet deployments in kube-system
• Enforce SSH key hygiene and monitor suspicious login patterns
• Implement runtime security controls for containerized environments

Proactive monitoring and zero-trust principles are no longer optional - they are essential.