Self-Propagating Malware Poisons Open Source Software, Wipes Iran-Based Machines (arstechnica.com)
- Reference: 0181096832
- News link: https://news.slashdot.org/story/26/03/24/1638228/self-propagating-malware-poisons-open-source-software-wipes-iran-based-machines
- Source link: https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
> A new hacking group has been rampaging the Internet in a persistent campaign that [1]spreads a self-propagating and never-before-seen backdoor -- and curiously a data wiper that targets Iranian machines. The group, tracked under the name TeamPCP, first gained visibility in December, when researchers from security firm Flare [2]observed it unleashing a worm that targeted cloud-hosted platforms that weren't properly secured. The objective was to build a distributed proxy and scanning infrastructure and then use it to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency. The group is notable for its skill in large-scale automation and integration of well-known attack techniques.
>
> More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator. Over the weekend, researchers said they observed TeamPCP spreading potent malware that was also worm-enabled, meaning it had the potential to spread to new machines automatically, with no interaction required of victims behind the keyboard. [...]
>
> As the weekend progressed, CanisterWorm [as Aikido has named the malware] was updated to add an additional payload: a wiper that targets machines exclusively in Iran. When the updated worm infects machines, it checks if the machine is in the Iranian timezone or is configured for use in that country. When either condition was met, the malware no longer activated the credential stealer and instead triggered a novel wiper that TeamPCP developers named Kamikaze. Eriksen said in an email that there's no indication yet that the worm caused actual damage to Iranian machines, but that there was "clear potential for large-scale impact if it achieves active spread."
It's unclear what the motive is for TeamPCP. Aikido researcher Charlie Eriksen wrote: "While there may be an ideological component, it could just as easily be a deliberate attempt to draw attention to the group. Historically, TeamPCP has appeared to be financially motivated, but there are signs that visibility is becoming a goal in itself. By going after security tools and open-source projects, including Checkmarx as of today, they are sending a clear and deliberate signal."
[1] https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
[2] https://flare.io/learn/resources/blog/
Can't wait! (Score:3)
How long will it be before malware such as this is used to (further) poison LLMs? Is there the potential to make LLM outputs strategically false and/or propagandistic and/or psychologically damaging?
IANAP, so I don't know if these things are feasible. But if I was a black-hat hacker with a grudge - or one who simply gets off on wreaking havoc - I'd be pursuing that course of action.
Re: Can't wait! (Score:2)
Pretty sure most LLMs are already a vector for strategically false and/or propagandistic and/or psychologically damaging responses based on their training data sources being the Internet.
You can only account for so many poisoned records before your accounting strategy displaces the actual data.
Iran is offline (Score:2)
From what I see, Iran is completely offline at this point, right?
Re: (Score:2)
That's what it seems. After the internet shutdown of January 8th, there hasn't been a large scale restoration of online access there
Re: (Score:2)
For the most part, but things like StarLink are allowing some people to bypass everything. The Iranian government is trying to detect StarLink transmitters and arrest users of it. Controlling media is in part why many Iranians have no idea the extent that their government has been decimated by the US and Israel. I've got no idea why we're not dropping leaflets all over the place with headlines from the outside world. Maybe we are and I'm just not aware of it. Still, Iran does stand for now. I am starting to
is the "lesson" (Score:2)
don't use Kubernetes?
I'm admittedly not knowledgeable on Kuberwhatever, but I always look to reduce dependencies. Talked to a few techies I know in the middle of corporate servitude, the opinion was split on whether K was really and truly useful vs. really and truly just a dependency trap for lazy devops.
layers and layers of moving parts = more vulns, IMHO
Re: (Score:2)
Kubermetes is like Docker. They're container systems. Basically they use Linux namespaces to let you run an independent userspace to your current userspace. This can have valuable benefits - like needing to run an ancient userspace for some tool on modern hardware (e.g., if you need an Ubuntu 14.04 LTS environment for some reason, it's basically impossible to run it on modern hardware without building your own kernel and stuff).
All Linux is doing is standard app level virtualization - you know the same prot
GPL virus infect YOU! (Score:1)
Good job, malware dudes. Your malware is now GPLed. Enjoy seeing it used without payment. Now we have our own malware (thanks!) so why do we still need you?
Don't forget... (Score:2)
It was North Korea. Anyway, do not forget that Iran's own people are trying to overthrow the gov because months ago they chopped all the fiber connections. Iran has no internet unless individuals have satellite connections. I'm not sure their mobile or wired telecom even works anymore. That's why their people started burning down gov buildings and mosques before the US ever started attacking them. So this is the most obvious purposeful red herring ever.
No chance any Israelis involved, is there? (Score:3)
Israel has zero hackers working on trying to damage the Iranian nuclear program... right?
Re: (Score:3)
> Israel has zero hackers working on trying to damage the Iranian nuclear program... right?
And maybe that's exactly what the creators of that malware want you to think.
Re: (Score:2)
Notice the number of commas in this figure. [1]https://foreignassistance.gov/... [foreignassistance.gov]
[1] https://foreignassistance.gov/cd/israel/
Re: (Score:1)
It's probably done -by- Iran to put blame on someone else.
But we all remember Stuxnet..... That was Israel and the U.S. that did that one. So maybe not.....
Re: (Score:2)
Yes, Stuxnet was the inspiration for my extremely speculative post.
Re: No chance any Israelis involved, is there? (Score:3)
None. This is entirely Russia, with its single washing machine CPU.
Re: (Score:2)
New Russian CPU is BIGGEST and BEST! 1000x size of Intel CPU!