What measures can organizations take to prevent similar attacks?

Organizations should secure their cloud environments by regularly auditing configurations, implementing robust security measures, and continuous monitoring to detect and mitigate threats.

TeamPCP's 2026 Kubernetes Wiper Attack: A Wake-Up Call for Cloud Security

Q: How did TeamPCP execute the Kubernetes wiper attack?

They exploited misconfigured Kubernetes clusters to deploy a malicious script that wiped all machines identified with Iranian locale settings, causing significant operational disruptions.

Discover how TeamPCP exploited misconfigured Kubernetes clusters to deploy wiper malware targeting Iranian systems, and learn strategies to fortify your cloud infrastructure against such threats.

Published: March 23, 2026

Share this on:

Executive Summary

In March 2026, the cybercriminal group TeamPCP launched a targeted wiper malware attack against Kubernetes clusters, specifically aiming to destroy systems configured for Iran. The attackers exploited misconfigured cloud environments to deploy a malicious script that wiped all machines identified with Iranian locale settings. This campaign followed TeamPCP's previous supply-chain attack on the Trivy vulnerability scanner and the NPM-based 'CanisterWorm' campaign. The wiper attack resulted in significant operational disruptions for affected organizations, highlighting the group's evolving tactics and the critical need for robust cloud security configurations.

This incident underscores the increasing sophistication of cyber threats targeting cloud infrastructures and the geopolitical motivations driving such attacks. Organizations must prioritize securing their cloud environments, regularly audit configurations, and implement comprehensive monitoring to detect and mitigate similar threats.

Why This Matters Now

The TeamPCP wiper attack highlights the urgent need for organizations to secure their cloud environments against sophisticated, geopolitically motivated cyber threats. As attackers increasingly exploit misconfigurations in cloud infrastructure, it is imperative to implement robust security measures and continuous monitoring to prevent similar incidents.

Attack Path Analysis

TeamPCP exploited misconfigured Kubernetes APIs to gain initial access, escalated privileges by deploying DaemonSets with elevated permissions, moved laterally across clusters using Kubernetes-native mechanisms, established command and control through persistent backdoors, exfiltrated data via unauthorized outbound connections, and impacted systems by deploying wiper malware targeting Iranian locales.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

TeamPCP exploited misconfigured Kubernetes APIs to gain unauthorized access to clusters.

Confidence:

High

MITRE ATT&CK® Techniques

Execution

T1609

Container Administration Command

Persistence

T1098.006

Account Manipulation: Additional Container Cluster Roles

Credential Access

T1110.003

Brute Force: Password Spraying

Impact

T1496.001

Resource Hijacking: Compute Hijacking

Initial Access

T1133

External Remote Services

Initial Access

T1210

Exploitation of Remote Services

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Change Control Processes

Control ID: 6.4.1

The unauthorized deployment of malicious scripts indicates a lack of robust change control processes, potentially violating PCI DSS requirements for managing changes to system components.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the organization's cybersecurity policy, particularly in addressing threats to Kubernetes environments, as required by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The attack highlights weaknesses in the organization's ICT risk management framework, essential for ensuring operational resilience under DORA.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The adversary's ability to manipulate container cluster roles indicates inadequate identity and access management controls, contravening CISA's Zero Trust principles.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The breach demonstrates insufficient implementation of cybersecurity risk management measures, as mandated by the NIS2 Directive for essential and important entities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

Kubernetes infrastructure faces critical wiper threats with geopolitically targeted destruction, requiring enhanced zero trust segmentation and east-west traffic security controls.

Computer Software/Engineering

Supply chain attacks targeting vulnerability scanners and container orchestration platforms expose development infrastructure to destructive payloads and persistent backdoors.

Government Administration

Geopolitically motivated wiper attacks on Kubernetes clusters threaten critical government infrastructure, demanding immediate multicloud visibility and anomaly detection capabilities.

Defense/Space

Iran-targeted destructive payloads in containerized environments pose severe national security risks requiring comprehensive threat detection and secure hybrid connectivity measures.

Sources

TeamPCP deploys Iran-targeted wiper in Kubernetes attackshttps://www.bleepingcomputer.com/news/security/teampcp-deploys-iran-targeted-wiper-in-kubernetes-attacks/
Verified

TeamPCP Turns Cloud Misconfigurations Into a Self-Propagating Cybercrime Platformhttps://gbhackers.com/teampcp-turns-cloud-misconfigurations/

Verified

New Iranian wiper discovered in attacks on Middle Eastern companieshttps://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/

Verified

Frequently Asked Questions

TeamPCP is a cybercriminal group known for exploiting misconfigured cloud environments to deploy malware, including wiper attacks targeting specific geopolitical regions.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly within the cloud fabric, potentially reducing the attacker's ability to exploit misconfigurations and move laterally across clusters.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit misconfigured Kubernetes APIs may have been constrained, limiting unauthorized access to clusters.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges by deploying DaemonSets may have been limited, reducing the scope of elevated permissions.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement across clusters may have been constrained, reducing the ability to expand their foothold.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of persistent backdoors may have been limited, reducing the attacker's ability to maintain control over the environment.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate data through unauthorized outbound connections may have been constrained, reducing data loss.

Impact (Mitigations)

The deployment of wiper malware may have been limited, reducing the extent of data destruction on targeted systems.

Impact at a Glance

Affected Business Functions

Cloud Infrastructure Management
Data Storage and Backup
Application Deployment
System Monitoring

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential loss of critical operational data and system configurations.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows, mitigating lateral movement.
• Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
• Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
• Apply Kubernetes Security measures, such as network policies and pod security standards, to harden cluster defenses.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

TeamPCP's 2026 Kubernetes Wiper Attack: A Wake-Up Call for Cloud Security

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Container Administration Command

Account Manipulation: Additional Container Cluster Roles

Brute Force: Password Spraying

Resource Hijacking: Compute Hijacking

External Remote Services

Exploitation of Remote Services

Potential Compliance Exposure

PCI DSS 4.0 – Change Control Processes

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Computer Software/Engineering

Government Administration

Defense/Space

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads