Listen to this Post
A sophisticated hacking campaign is exploiting Kubernetes environments with destructive intent, marking a dangerous escalation in supply-chain and geopolitically targeted attacks. The threat actor, known as TeamPCP, has previously made headlines with the Trivy vulnerability scanner compromise and the NPM-based “CanisterWorm” campaign. Now, their focus has shifted to selectively wiping systems configured for Iran, while simultaneously spreading persistent backdoors on other networks. This latest development underscores the growing intersection of cybersecurity threats with geopolitical motivations.
Destructive Malware with Selective Targeting
Security researchers at Aikido report that TeamPCP is deploying a malicious script across Kubernetes clusters. The malware is designed to distinguish Iranian systems based on timezone and locale, triggering complete system destruction when these conditions are met. For Iranian systems with Kubernetes installed, a DaemonSet named Host-provisioner-iran deploys privileged Alpine containers called kamikaze. These containers systematically delete top-level directories and force a system reboot, effectively wiping the host.
For non-Iranian systems with Kubernetes, a different DaemonSet—host-provisioner-std—is deployed. This variant does not erase files but installs a persistent Python backdoor on each node, running as a systemd service to maintain long-term access. On Iranian machines without Kubernetes, the malware executes the rm -rf / –no-preserve-root command to delete all files accessible to the current user, attempting passwordless sudo if necessary. Systems outside these parameters remain untouched, and the malware exits silently.
Connections to CanisterWorm and Supply-Chain Attacks
This campaign reuses the ICP canister from the previous CanisterWorm incidents, including the same command-and-control (C2) infrastructure, backdoor code, and /tmp/pglog drop path. TeamPCP’s lateral movement tactics via Kubernetes DaemonSets mirror its established playbook, but the addition of geopolitically targeted destruction is a new and concerning development.
Recent iterations of the malware have shifted from Kubernetes lateral movement to SSH-based propagation. Infected hosts attempt to harvest credentials from authentication logs and leverage stolen private keys for remote access. Indicators of compromise include outbound SSH connections with StrictHostKeyChecking=no, Docker API connections on port 2375, and privileged Alpine containers mounted with the host filesystem via unauthenticated Docker APIs.
What Undercode Say:
TeamPCP’s new campaign reflects a worrying evolution in both technical sophistication and strategic intent. Unlike conventional ransomware or opportunistic malware, this attack demonstrates careful environmental reconnaissance and conditional execution. By detecting geographic and system-specific attributes before activating destructive payloads, the attackers minimize unnecessary exposure while maximizing impact in their target region.
The use of DaemonSets to deploy privileged containers shows deep familiarity with Kubernetes-native attack vectors. Privileged access combined with host filesystem mounting allows near-total control over victim machines, enabling both rapid destruction and stealthy persistence. The malware’s dual mode—destructive for targeted regions, backdoor installation elsewhere—indicates long-term operational planning, as the attackers secure footholds on global infrastructure while executing precision strikes.
Furthermore, the shift toward SSH-based propagation represents an adaptive evolution, reducing reliance on Kubernetes while exploiting common administrative practices. Parsing authentication logs and using private keys demonstrates a focus on lateral movement and persistence beyond immediate targets. The campaign highlights the ongoing risk posed by supply-chain attacks, where initial compromise of developer tools or libraries can translate into highly targeted and destructive outcomes.
The geopolitical targeting of Iranian systems also suggests that cyber operations are increasingly blending with state-level interests, making attribution and mitigation more complex. Organizations running global Kubernetes environments must prioritize monitoring for abnormal DaemonSets, unusual Docker API activity, and unauthorized root-level operations. In addition, rigorous segmentation and credential hygiene become essential defenses against both lateral spread and targeted destruction.
Fact Checker Results:
✅ TeamPCP previously targeted Trivy and NPM ecosystems — confirmed by multiple security reports.
✅ Malware uses ICP canisters and DaemonSets for lateral movement — confirmed by Aikido researchers.
❌ No evidence suggests the malware affects systems outside the described targeting parameters — consistent with observed behavior.
Prediction:
⚠️ We may see further campaigns that integrate geopolitical triggers with sophisticated container-based attacks.
⚠️ Future malware may increasingly combine destructive payloads with persistent backdoors, making detection and remediation more difficult.
⚠️ Kubernetes environments worldwide will face higher scrutiny as attackers exploit cloud-native features for precision strikes.
This campaign serves as a stark reminder that container orchestration platforms, while powerful, are increasingly becoming a target for both cybercriminals and state-affiliated threat actors.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
