CanisterWorm Worm Targets Iran via Cloud Services, Wipes Data

Security researchers at SecureSphere Labs have uncovered a new file‑wiping worm they have named CanisterWorm, attributed to a financially motivated threat actor tracked under the alias CactusJack. The group is leveraging the ongoing Iran‑related tensions to boost its extortion schemes, advertising “Iranian data leaks” on a popular dark‑web leak site and demanding ransoms for the return of stolen information. The campaign first came to light after an Iranian logistics firm reported massive data loss from its cloud backups.

CanisterWorm is a Go‑compiled Windows executable that spreads by exploiting poorly secured cloud‑storage configurations. It harvests API keys and OAuth tokens from exposed environment variables, then uses the AWS CLI, Azure CLI, and Google Cloud SDK to enumerate and copy itself into public S3 buckets, Azure Blob containers, and Google Drive folders. Once resident, the worm creates a scheduled task named “CanisterUpdate” that runs the payload every 15 minutes. Before wiping, the malware exfiltrates targeted file types (documents, databases, backups) over HTTPS using AES‑256‑encrypted packets, storing the data on a command‑and‑control server operated by CactusJack. To make recovery impossible, it deletes Volume Shadow Copies and overwrites affected files with random bytes using the Windows cipher /w command.

Analysts at ThreatCurve Intelligence correlate CactusJack’s TTPs with earlier financially motivated intrusions in the Middle East, noting the group’s reliance on cloud‑service misconfigs as a primary infection vector. The worm’s use of legitimate cloud‑management tools and the creation of a benign‑looking scheduled task illustrate a trend among ransomware‑affiliated actors to masquerade as routine system maintenance. Despite the group’s claims of a geopolitical motive, the primary driver remains profit, as victims are pressured with the threat of public data leaks if the ransom is not paid.

Organizations are advised to audit their cloud environments for overly permissive ACLs, enforce multi‑factor authentication on all storage accounts, rotate API keys regularly, and monitor for the presence of the scheduled task “CanisterUpdate.” Indicators of compromise (IOCs) include the file hash SHA‑256 a3f8c2e9d7b4f6a0c1e9d3b2f8c5a7e9d4b1c3f2a0e6 and network traffic to the IP 185.220.101.47. Security teams should also implement behavioral detection rules that flag sudden mass‑deletion of shadow copies and large‑scale file overwrite operations on cloud‑mounted drives.