TeamPCP’s Multi-Front Attack: When Wipers Meet Supply Chain Compromise

We’re seeing something interesting unfold this week that’s worth paying attention to. The TeamPCP hacking group has been making moves across multiple attack vectors simultaneously, and their latest campaign shows how threat actors are getting more sophisticated about targeting specific regions while compromising the tools we rely on daily.

The Kubernetes Wiper That Knows Geography

Let’s start with the most unusual piece: TeamPCP is deploying a wiper malware that specifically targets Iranian systems through Kubernetes clusters. What makes this particularly noteworthy isn’t just the geopolitical targeting—it’s the technical approach. The malicious script actually checks system configurations to identify Iranian infrastructure before wiping everything clean.

This kind of geo-targeted destructive malware represents a shift we should all be watching. We’ve seen nation-state actors use geographic filters before, but seeing it in what appears to be a broader criminal campaign suggests these techniques are becoming more accessible. For those of us managing Kubernetes environments, this is a reminder that container orchestration platforms are increasingly attractive targets, especially when they’re misconfigured or exposed to the internet.

Supply Chain Hits Where It Hurts: CI/CD Pipelines

Here’s where things get really concerning for our day-to-day operations. TeamPCP has compromised Trivy Docker images—specifically versions 0.69.5 and 0.69.6—with their infostealer malware. If you’re not familiar with Trivy, it’s a popular vulnerability scanner that many of us use in our CI/CD pipelines to scan container images for security issues.

The irony here is almost painful: teams are pulling what they think is a security tool to scan for vulnerabilities, and instead they’re introducing malware directly into their build processes. This supply chain attack hits right at the heart of modern DevSecOps practices, where we’ve been pushing security left and integrating scanning tools throughout our development workflows.

If your organization uses Trivy in automated scans, you’ll want to check which versions you’re running and review any systems that may have pulled these compromised images. The fact that this targets CI/CD specifically means the potential for lateral movement and data exfiltration is significant.

The Copyright Notice That Steals Your Data

While TeamPCP was busy with infrastructure attacks, we’re also seeing a separate but equally clever social engineering campaign. Attackers are hiding infostealers in fake copyright infringement notices, targeting healthcare, government, hospitality, and education sectors across multiple countries.

This approach is particularly effective because copyright notices create a sense of urgency and legitimacy that bypasses a lot of our usual skepticism. The phishing campaign uses several evasion techniques to avoid detection, which suggests the operators understand how modern email security works and are actively working around it.

What strikes me about this campaign is how it targets sectors that often have complex IT environments but may not have the same security resources as financial institutions or tech companies. Healthcare and education, in particular, have been struggling with cybersecurity investments, making them attractive targets for this kind of broad-spectrum attack.

Ransomware Keeps Hitting Critical Infrastructure

Adding to this week’s theme of varied attack vectors, Trio-Tech International—a semiconductor testing and assembly services company—disclosed that ransomware hit their Singapore subsidiary. While we don’t have details about the specific ransomware family or attack vector, this continues the concerning trend of attacks against semiconductor industry companies.

The timing is particularly notable given ongoing global supply chain concerns around chip manufacturing and testing. These attacks against semiconductor companies aren’t just about immediate financial impact—they can ripple through entire technology supply chains.

What This Means for Our Defense Strategies

Looking at these incidents together, a few patterns emerge that should inform how we’re thinking about security right now. First, attackers are getting more sophisticated about combining multiple attack vectors in coordinated campaigns. TeamPCP’s simultaneous targeting of Kubernetes infrastructure and CI/CD tools suggests they understand how modern development and deployment workflows actually work.

Second, the geographic targeting in the Kubernetes wiper shows that even criminal groups are adopting techniques we typically associate with nation-state actors. This means we need to think more carefully about geopolitical risks even in what might seem like routine cybercriminal activity.

Finally, the success of these supply chain attacks against tools like Trivy highlights how our security practices can become attack vectors themselves. As we integrate more automated security tools into our workflows, we need to be just as careful about securing those tools as we are about the applications they’re meant to protect.

The key takeaway? Defense in depth isn’t just about layering different security controls—it’s about ensuring that each layer is independently verified and that our security tools themselves are part of our threat model.

Sources

• TeamPCP deploys Iran-targeted wiper in Kubernetes attacks
• Attackers Hide Infostealer in Copyright Infringement Notices
• Trivy Supply Chain Attack Expands With New Compromised Docker Images
• Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware
• Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More