A previously unknown hacking collective designated as TeamPCP has initiated a sustained offensive across the internet, distributing a novel self-propagating backdoor alongside a data destruction tool focused on systems in Iran. Security analysts at Flare first detected this group in December, noting its deployment of a worm that exploited inadequately secured cloud platforms. The operation aimed to establish a distributed network for proxy services and scanning, subsequently hijacking servers to steal data, install ransomware, execute extortion schemes, and mine digital currencies. TeamPCP distinguishes itself through advanced automation capabilities and the adept incorporation of established attack methodologies.
TeamPCP’s activities have intensified with a continuously evolving malware suite designed to expand its control over additional systems. In a significant escalation late last week, the group executed a supply-chain attack by breaching the GitHub account of Aqua Security, the developer behind the widely adopted Trivy vulnerability scanner. This compromise affected nearly all versions of Trivy, enabling the distribution of malicious code through trusted software channels.
Over the weekend, researchers observed TeamPCP disseminating a potent worm-enabled malware variant capable of autonomous propagation without user interaction. Upon infecting a machine, this malware searches for access credentials to the npm repository and compromises any publishable packages by generating new versions embedded with harmful code. According to Aikido, the worm targeted 28 packages within 60 seconds. Early iterations required manual spreading across packages accessible via compromised npm tokens, but updated versions released over the weekend automated this process, significantly broadening its impact.
The worm employs an unusual tamper-proof control mechanism based on an Internet Computer Protocol canister, a type of self-enforcing smart contract resistant to third-party interference or takedown. This canister directs infected machines to dynamically changing URLs hosting malicious binaries, allowing attackers to seamlessly update server addresses. Infected systems report to the canister at 50-minute intervals, maintaining persistent communication.
Curiously, the campaign includes a data wiper component specifically aimed at Iranian machines, though the exact motives behind this targeting remain unclear. TeamPCP’s relentless and adaptive approach underscores the growing sophistication of threats leveraging automation and supply-chain vulnerabilities to achieve widespread compromise.
