TeamPCP Iran-targeted Kubernetes destructive campaign
Campaign
Summary
Hide ▲
Show ▼
The TeamPCP campaign is now using a malicious script against Kubernetes clusters to wipe hosts when systems appear configured for Iran, raising the risk of geopolitically targeted destruction. On non-Iranian nodes, the same operation installs a Python backdoor for persistence instead of erasing machines. The activity also reuses the CanisterWorm infrastructure and is evolving toward SSH propagation with stolen credentials and parsed authentication logs. That combination shows an active, coordinated operation with selective destructive behavior and follow-on footholds.
Related Happenings
PCPJack TeamPCP-targeting cloud credential theft campaign
Campaign
H score37
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
PCPJack TeamPCP-targeting cloud credential theft campaign
CampaignAbout this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware Activity
H score27
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware ActivityAbout this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
H score34
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
**PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
Latest development: 05.06.2026 08:34
Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.
PCPJack worm-like credential theft framework
Malware Activity
H score27
First: 07.05.2026 20:45
Last: 07.05.2026 20:45
Sources 1
About this happening:
The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
PCPJack worm-like credential theft framework
Malware ActivityAbout this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
TeamPCP supply-chain credential-exploitation campaign
Campaign
H score34
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
TeamPCP supply-chain credential-exploitation campaign
CampaignAbout this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
Latest development: 12.05.2026 01:03
TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.
Timeline
-
23.03.2026 22:09 1 articles · 3mo ago
CanisterWorm campaign starts on March 20
Campaign Scope UpdateThe NPM-based CanisterWorm activity begins on March 20.
Show sources
- TeamPCP deploys Iran-targeted wiper in Kubernetes attacks — www.bleepingcomputer.com — 23.03.2026 22:09
-
23.03.2026 22:09 2 articles · 3mo ago
TeamPCP Iran-targeted Kubernetes wiper analysis
Technical Analysis UpdateTeamPCP-linked malware targets Kubernetes clusters with a destructive payload that wipes hosts when Iran timezone and locale are detected, using a privileged DaemonSet named `Host-provisioner-iran` in `kube-system`; on non-Iranian systems it installs a Python backdoor for persistence, and newer variants switch to SSH propagation with parsed authentication logs, stolen private keys, `StrictHostKeyChecking+no`, and Docker API access on port 2375.
Show sources
- TeamPCP deploys Iran-targeted wiper in Kubernetes attacks — www.bleepingcomputer.com — 23.03.2026 22:09
- TeamPCP deploys Iran-targeted wiper in Kubernetes attacks — www.bleepingcomputer.com — 23.03.2026 22:09