Christoffer S.6d ago

Whenever there is a recent attack campaign reported across multiple articles I always wish for there to be a "sum of all the pieces" to try and get a better understanding.

I tried something new today with regards to TeamPCP and the recent CanisterWorm and Kubernetes Wiper campaign.

Let me know if you like the format.

https://cstromblad.com/posts/threat-actor-profile-teampcp/

#ThreatIntel #Cybersecurity

Threat Assessment: TeamPCP - CanisterWorm & Kubernetes Wiper Campaign

TeamPCP is a cybercrime group that compromised over 60 000 cloud servers, backdoored the Trivy vulnerability scanner, and unleashed a self-spreading npm worm — all controlled through a takedown-resistant blockchain C2. Their latest payload wipes Kubernetes clusters configured for Iranian locales while backdooring everyone else. The motivation behind the Iranian targeting remains unknown. Updated: 2026-03-24, three new sources added for context and new information about Checkmarx compromise.

CHRISTOFFER STRÖMBLAD
Show threadBrian Clark
@nopatience very good. I especially like the evidence column in the MITRE ATTACK techniques section
Mar 22 at 5:16pmWeb
Show threadChristoffer S.6d ago

@deepthoughts10 Yeah... it's something that I've been collecting / enriching for quite a while.

It always annoyed me that there sometimes are textual descriptions of techniques but not mentioned in listings/tables for identified techniques.

So this is my attempt to try and bridge that gap... and as long as there is an "evidence" sentence you can make your own assessment if you agree with the stated technique or not.

Thanks for taking the time to reflect!