Christoffer S.Mar 22

Whenever there is a recent attack campaign reported across multiple articles I always wish for there to be a "sum of all the pieces" to try and get a better understanding.

I tried something new today with regards to TeamPCP and the recent CanisterWorm and Kubernetes Wiper campaign.

Let me know if you like the format.

https://cstromblad.com/posts/threat-actor-profile-teampcp/

#ThreatIntel #Cybersecurity

Threat Assessment: TeamPCP - CanisterWorm & Kubernetes Wiper Campaign

TeamPCP is a cybercrime group that compromised over 60 000 cloud servers, backdoored the Trivy vulnerability scanner, and unleashed a self-spreading npm worm — all controlled through a takedown-resistant blockchain C2. Their latest payload wipes Kubernetes clusters configured for Iranian locales while backdooring everyone else. The motivation behind the Iranian targeting remains unknown. Updated: 2026-03-24, three new sources added for context and new information about Checkmarx compromise.

CHRISTOFFER STRÖMBLAD
Show threadChristoffer S.

Article/assessment has been updated incorporating some new insights from Socket and OpenSourceMalware.

https://cstromblad.com/posts/threat-actor-profile-teampcp/

Threat Assessment: TeamPCP - CanisterWorm & Kubernetes Wiper Campaign

TeamPCP is a cybercrime group that compromised over 60 000 cloud servers, backdoored the Trivy vulnerability scanner, and unleashed a self-spreading npm worm — all controlled through a takedown-resistant blockchain C2. Their latest payload wipes Kubernetes clusters configured for Iranian locales while backdooring everyone else. The motivation behind the Iranian targeting remains unknown. Updated: 2026-03-24, three new sources added for context and new information about Checkmarx compromise.

CHRISTOFFER STRÖMBLAD
Mar 23 at 12:25pmWeb
Show threadChristoffer S.6d ago

Updated 2026-03-24, three new sources added and information about the Checkmarx compromise has also been included.

The attack keeps getting bigger and bigger.

https://cstromblad.com/posts/threat-actor-profile-teampcp/

Threat Assessment: TeamPCP - CanisterWorm & Kubernetes Wiper Campaign

TeamPCP is a cybercrime group that compromised over 60 000 cloud servers, backdoored the Trivy vulnerability scanner, and unleashed a self-spreading npm worm — all controlled through a takedown-resistant blockchain C2. Their latest payload wipes Kubernetes clusters configured for Iranian locales while backdooring everyone else. The motivation behind the Iranian targeting remains unknown. Updated: 2026-03-24, three new sources added for context and new information about Checkmarx compromise.

CHRISTOFFER STRÖMBLAD