CanisterWorm Attack: Secrets Stealing via Docker, K8s, Redis

Fast Facts

1. A cybercrime group called TeamPCP has been secretly exploiting cloud vulnerabilities since late 2025 using its canister-based blockchain infrastructure to automate wide-scale attacks on Azure and AWS environments, primarily targeting Docker, Kubernetes, Redis, and known flaws like React2Shell.

2. Their self-propagating worm, CanisterWorm, moves laterally within networks to steal credentials and extort victims via Telegram, with over 97% of compromised systems located on Azure and AWS.

3. In March 2026, TeamPCP escalated by injecting malware into Trivy’s GitHub releases, stealing sensitive credentials, and deploying a geo-targeted wiper that destroys data on Iranian systems or those with Farsi settings, indicating political and financial motives.

4. The use of blockchain-based ICP canisters for command infrastructure makes takedown efforts highly ineffective, allowing the group to rapidly adapt, modify payloads, and evade detection while continuing extensive attacks.

What’s the Problem?

Since late 2025, a cybercriminal group named TeamPCP has been quietly targeting cloud environments for financial gain through a sophisticated campaign. They use a self-propagating worm called CanisterWorm, which scans for vulnerable Docker APIs, Kubernetes clusters, Redis servers, and systems with the React2Shell flaw. Once inside, CanisterWorm moves laterally across networks to steal credentials and then extorts organizations via Telegram. The attack has impacted thousands of servers on major cloud platforms like Azure and AWS—accounting for 97% of affected infrastructure—by weaponizing known vulnerabilities and misconfigurations. Interestingly, the same infrastructure was later used to launch a targeted wiper attack on systems associated with Iran, exposing a shift toward geo-specific malicious tactics.

In March 2026, TeamPCP further escalated their operations by hijacking the supply chain of a popular vulnerability scanner, Trivy, injecting malware to steal SSH keys, credentials, and cryptocurrency wallets. Soon after, they deployed a destructive payload that activates on Iranian systems or those using Farsi, destroying data across entire Kubernetes clusters or local machines. Their attack infrastructure is blockchain-based, utilizing Internet Computer Protocol (ICP) canisters, which make takedowns difficult and allow the group to swiftly modify or redirect their payloads. This adaptability, combined with the geopolitical marker embedded in their malicious code, underscores the evolving complexity and danger posed by TeamPCP’s operations, prompting urgent advisories for organizations to strengthen their security controls and monitor for signs of lateral movement and suspicious activity.

What’s at Stake?

The threat posed by the CanisterWorm malware targeting Docker, Kubernetes, and Redis can drastically impact any business, especially those relying on containerized or cloud-based services. This malware exploits vulnerabilities in these systems to gain unauthorized access, enabling cybercriminals to steal sensitive data such as secrets, credentials, or proprietary information. If successful, attackers can disrupt operations, cause financial losses, and damage reputation—risks that grow with increased digital dependency. Moreover, without robust security measures, such breaches can spread quickly across interconnected systems, compounding the damage. Consequently, every business using container technology must remain vigilant, implement strong security controls, and monitor their environments continuously to prevent such incursions.

Possible Actions

Promptness in addressing threats like “CanisterWorm Malware Attacking Docker/K8s/Redis to Gain Access and Steal Secrets” is vital, as rapid response minimizes damage, prevents further exploitation, and ensures the integrity and confidentiality of sensitive data within complex containerized environments.

Detection Strategies

• Implement continuous monitoring of container and orchestration platform logs.
• Use intrusion detection systems tailored for container runtime environments.
• Conduct regular vulnerability scans of Docker images, Kubernetes configurations, and Redis deployments.

Containment Measures

• Isolate affected containers and nodes immediately.
• Disable compromised services and revoke compromised credentials.
• Segregate critical assets from compromised segments to prevent lateral movement.

Eradication Techniques

• Remove malicious containers and images identified during detection.
• Purge malicious or backdoored code from code repositories.
• Patch vulnerabilities that exploited the malware, such as outdated container images or insecure Redis configurations.

Recovery Procedures

• Restore affected systems using trusted backups.
• Redeploy clean versions of containers and applications.
• Confirm system integrity post-remediation before returning to normal operation.

Preventive Actions

• Enforce least privilege principles for container and cluster access.
• Secure Redis deployments with strong authentication and encryption.
• Regularly apply security updates to Docker, Kubernetes, and Redis.
• Incorporate security into CI/CD pipelines for early detection of vulnerabilities.

Policy and Training

• Develop and update incident response plans specific to container security.
• Train staff on container security best practices and threat awareness.
• Conduct periodic drills to ensure readiness for container malware incidents.

Continue Your Cyber Journey

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource