VERY IMPORTANT

A new payload in the TeamPCP arsenal has been discovered, capable of wiping entire Kubernetes clusters. The script uses the same ICP canister as the CanisterWorm campaign, with consistent lateral movement via DaemonSets. However, this variant introduces a geopolitically targeted destructive payload aimed specifically at Iranian systems. The malware checks timezone and locale to identify Iranian systems, deploying privileged DaemonSets across every node in Kubernetes environments. Iranian nodes are wiped and force-rebooted, while non-Iranian nodes receive the CanisterWorm backdoor. The latest variant adds network-based lateral movement, exploiting exposed Docker APIs and using SSH for spread. This development shows TeamPCP's ability to operate at supply chain scale and their willingness to engage in destructive actions.