John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
TeamPCP just made their malware significantly harder to kill.
Their new payload, CanisterWorm, puts its command-and-control resolver on an ICP blockchain canister – basically a smart contract running on a decentralized network. No domain to seize. No hosting provider to call. No takedown notice that matters. It runs as long as the Internet Computer runs.
The first two versions required Kubernetes, which at least scoped the threat to cloud-native environments. The third iteration dropped that requirement. It now runs anywhere.
Here’s the part that doesn’t fit neatly into a financial motivation narrative: the payload checks the infected system’s timezone and language. If it lands on an Iranian-configured machine, it wipes. Everyone else gets a persistent backdoor. Two completely different behaviors from the same malware, triggered by geography.
Whether that’s a genuine political target or a clever misdirection is genuinely unclear. What’s not unclear is that the blockchain C2 technique is real, it works, and other groups will notice.
If your CI/CD pipeline touched Trivy Docker images (0.69.4 through 0.69.6) or LiteLLM versions 1.82.7 or 1.82.8, assume compromise.