{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/iran/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["kubernetes","wiper","iran","canisterworm","teampcp","destructive-attack"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eTeamPCP has deployed a Kubernetes wiper named CanisterWorm, specifically targeting Iranian infrastructure. This destructive malware is designed to obliterate data within Kubernetes environments. The wiper\u0026rsquo;s emergence in March 2026 signals a heightened level of cyber aggression, particularly given the geopolitical context. Defenders need to be aware of the potential for significant operational disruption and data loss. The targeting of Kubernetes environments reflects a sophisticated understanding of modern infrastructure and the increasing reliance on containerization technologies. This campaign requires immediate attention and proactive security measures to mitigate the risk of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a node within the Kubernetes cluster, possibly via exploiting a known vulnerability or through compromised credentials.\u003c/li\u003e\n\u003cli\u003eCanisterWorm gains elevated privileges within the compromised node, potentially using techniques such as privilege escalation exploits.\u003c/li\u003e\n\u003cli\u003eDiscovery of other nodes and resources within the Kubernetes cluster through reconnaissance activities, leveraging the Kubernetes API.\u003c/li\u003e\n\u003cli\u003eLateral movement to other nodes using stolen credentials or by exploiting trust relationships between nodes.\u003c/li\u003e\n\u003cli\u003eExecution of CanisterWorm on each targeted node, initiating the data wiping process.\u003c/li\u003e\n\u003cli\u003eOverwriting critical system files and data volumes within the containers and pods.\u003c/li\u003e\n\u003cli\u003eCorruption of Kubernetes configuration files, leading to instability and potential cluster failure.\u003c/li\u003e\n\u003cli\u003eFinal stage involves the complete destruction of data within the Kubernetes environment, rendering the affected systems unusable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of CanisterWorm results in widespread data loss and service disruption within the targeted Kubernetes environments. This can lead to significant financial losses, reputational damage, and operational downtime. Given the targeting of Iranian infrastructure, this attack has the potential to impact critical services and government operations. The complete destruction of data necessitates extensive recovery efforts and may result in permanent data loss if backups are not available or are also compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Kubernetes API server logs for suspicious activity, particularly attempts to list or access sensitive resources to detect reconnaissance (reference: Attack Chain step 3).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and strict access controls within the Kubernetes cluster to limit lateral movement (reference: Attack Chain step 4).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Kubernetes Pod Deletion\u003c/code\u003e to identify potential wipe attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden Kubernetes security configurations, including RBAC (Role-Based Access Control) policies, to prevent unauthorized access (reference: Attack Chain step 2).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T12:00:00Z","date_published":"2026-03-23T12:00:00Z","id":"/briefs/2026-03-canisterworm-kubernetes-wiper/","summary":"TeamPCP's CanisterWorm is a newly identified Kubernetes wiper targeting Iranian infrastructure, indicating a politically motivated destructive attack.","title":"TeamPCP's CanisterWorm Kubernetes Wiper Targeting Iran","url":"https://feed.craftedsignal.io/briefs/2026-03-canisterworm-kubernetes-wiper/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["botnet","iran","C2"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA blog post on hunt.io details an Iranian botnet operation discovered through an open directory. The operation involves a 15-node relay network, suggesting a focus on obfuscation and resilience. The existence of an active Command and Control (C2) infrastructure indicates ongoing malicious activity. The exposure of these details allows defenders to gain insights into the botnet\u0026rsquo;s architecture and potentially disrupt its operations. While the specific targeting and malware used remain unclear from this report, the network structure points to a potentially sophisticated actor capable of conducting sustained campaigns. Understanding the C2 communication patterns and relay node infrastructure is crucial for effective defense.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Systems are compromised through an unknown initial access vector.\u003c/li\u003e\n\u003cli\u003eBot Installation: A bot payload is installed on the compromised systems.\u003c/li\u003e\n\u003cli\u003eC2 Communication: The bots establish communication with the C2 server to receive commands.\u003c/li\u003e\n\u003cli\u003eRelay Network Activation: Bots connect to one another creating the 15-node relay network.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The C2 server issues commands to the bots through the relay network.\u003c/li\u003e\n\u003cli\u003eMalicious Activity: Bots execute malicious commands, the specific actions are currently unknown.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this botnet is currently unknown due to limited information, but botnets are commonly used for DDoS attacks, spam campaigns, or credential stuffing. If the botnet successfully conducts its objectives it could lead to service disruptions, data breaches, or further compromise of systems within targeted networks. The Iranian origin suggests potential geopolitical motivations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to the domain \u003ccode\u003ehunt.io\u003c/code\u003e as it is related to the botnet operation ([IOC: hunt.io]).\u003c/li\u003e\n\u003cli\u003eImplement a network connection rule to detect unusual network connections that could indicate the C2 activity or relay network behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any systems that show signs of unusual network activity or communication with external domains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T19:15:28Z","date_published":"2026-03-17T19:15:28Z","id":"/briefs/2024-01-iranian-botnet/","summary":"An Iranian botnet operation utilizing a 15-node relay network and active C2 infrastructure was exposed through an open directory.","title":"Iranian Botnet Operation Exposed via Open Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-iranian-botnet/"}],"language":"en","title":"CraftedSignal Threat Feed — Iran","version":"https://jsonfeed.org/version/1.1"}