Monday 30 March 2026Afternoon Edition

ZOTPAPER

News without the noise

Cybersecurity

CanisterWorm Wiper Targets Iran While FBI Warns of Tehran Hackers Weaponising Telegram

Cybercrime group TeamPCP unleashes data-destroying worm against Iranian systems as FBI reveals state-backed hackers are using Telegram to steal data from dissidents

Zotpaper3 min read📰 2 sources
Iran finds itself on both sides of the cyber battlefield this week, with a new self-propagating wiper called CanisterWorm destroying data on systems matching Iran's timezone or Farsi language settings, while the FBI has simultaneously warned that Iranian government hackers are weaponising Telegram in malware campaigns targeting dissidents and journalists.

The CanisterWorm campaign, which surfaced over the weekend, comes from a relatively new cybercrime group known as TeamPCP. Since December 2025, the group has been compromising corporate cloud environments using a self-propagating worm that targets exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. The group then moves laterally through victim networks, siphoning credentials and extorting victims via Telegram.

According to security firm Flare, TeamPCP weaponises exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices. Azure accounts for 61 per cent of compromised servers and AWS another 36 per cent.

The wiper component specifically seeks out and destroys data on systems that match Iran's timezone or have Farsi set as the default language, effectively injecting a geopolitical dimension into what was previously a financially motivated operation.

Meanwhile, the FBI has issued a separate warning about Iranian state-sponsored hackers using Telegram in hacking operations that deploy malware to target dissidents, opposition groups, and journalists who oppose the regime. The operations leverage Telegram's popularity among Iranian diaspora communities to distribute malicious payloads.

Analysis

Why This Matters

Iran is simultaneously a target and a perpetrator in the cyber domain, creating a complex threat landscape as the physical conflict with the US intensifies. The CanisterWorm campaign shows how cybercriminals opportunistically exploit geopolitical tensions.

Background

TeamPCP's pivot from pure financial extortion to geopolitically motivated destruction mirrors patterns seen in previous conflicts, where cybercrime groups aligned with political causes. The group's focus on cloud infrastructure rather than endpoints represents an evolution in attack methodology.

Key Perspectives

Security researchers note that TeamPCP's strength comes not from novel exploits but from large-scale automation of well-known attack techniques. The FBI warning about Telegram-based operations highlights how popular messaging platforms remain vectors for state-sponsored espionage.

What to Watch

Whether the CanisterWorm campaign escalates as the US-Iran conflict continues, and whether Tehran retaliates with its own cyber operations against Western infrastructure.

Sources