CanisterWiper Worm Targets Iran via Misconfigured Cloud Storage

A financially motivated cybercrime group has injected itself into the ongoing geopolitical conflict by deploying a novel, self-propagating wiper malware against organizations in Iran. Simultaneously, a separate Iran-aligned threat actor is claiming destructive attacks against a major Western medical technology firm. This dual-wave of data destruction, targeting both Iranian entities and a U.S.-based corporation, highlights the increasingly blurred lines between criminal and state-aligned cyber operations, where geopolitical tensions create new opportunities and cover for malicious activity. The primary threat from the criminal side is a worm dubbed CanisterWorm, designed to spread through misconfigured cloud storage and obliterate data on systems with specific Iranian attributes.

How CanisterWorm Spreads via Cloud Storage and Triggers Its Wiper

According to researchers, the CanisterWorm campaign begins with the threat actor scanning for publicly exposed and poorly secured cloud storage services, such as Redis instances. The attackers exploit these misconfigurations to gain an initial foothold. Once access is achieved, they deploy a malicious binary that functions as a self-replicating worm. This worm is engineered to continuously scan for other vulnerable cloud services, propagating itself autonomously across networks and infrastructure in a manner reminiscent of historical worms like WannaCry, but with a more targeted destructive payload.

The worm’s final destructive action is conditional and demonstrates a clear focus on Iranian targets. Before executing its data-wiping function, the malware performs checks on the infected host. It looks for two specific indicators: whether the system’s time zone is set to Iran Standard Time (IRST) and whether the Farsi language is installed as the default system language. Only if both these conditions are met does the worm activate its wiper component. This component is designed to overwrite files and directories with random data, rendering them irrecoverable, and also attempts to disrupt system recovery by targeting specific files and configurations to cripple the operating system. This conditional logic suggests the criminal actors are attempting to geographically contain their damage while still fulfilling a disruptive agenda, potentially for hire or to capitalize on the chaotic cyber landscape.

Dual Impact: Criminal Wiper Targets Iran, While Hacktivists Attack Medical Tech

The impact of these parallel campaigns is significant and multifaceted. The CanisterWorm operation represents a direct threat to organizations within Iran that rely on cloud services. Its wormable nature means a single initial infection in a connected environment could lead to widespread, cascading data loss across multiple systems and networks, causing substantial operational disruption. The attackers' motives appear to be a hybrid of financial gain and hacktivism; in addition to the wiper, the group has engaged in data theft and extortion, threatening to leak stolen information unless a ransom is paid.

In a seemingly related but distinct offensive, an Iran-aligned hacktivist group known as Soldiers of Solomon has claimed responsibility for a data-wiping attack against Stryker, a Fortune 500 medical technology company headquartered in Michigan. Reports from Ireland, where Stryker has a major operations hub, indicated the company experienced a serious IT outage and disruption to business operations. While technical details of this attack are less clear, the public claim by a group with links to Iranian intelligence agencies signals an escalation in targeting. Attacking a major medical technology firm crosses a commonly observed tacit line in cyber conflict, where healthcare and medical services are often considered off-limits due to the potential for real-world harm.

The timing and nature of these two events—a criminal worm targeting Iran and an Iran-backed wiper hitting a U.S. medical firm—create a complex threat landscape. It raises the possibility of retaliatory cycles or the use of criminal activity as a proxy or camouflage for state-aligned actions. For defenders, the key takeaway is that the threat of destructive malware is now emanating from both sophisticated criminal actors leveraging geopolitical cover and from established state-aligned groups willing to target critical civilian infrastructure.

Detection Guidance and Indicators of Compromise for CanisterWorm

Defense against the CanisterWorm threat requires a multi-layered approach focusing on configuration hygiene, network monitoring, and endpoint detection. The initial infection vector hinges on improperly secured cloud services. Therefore, the primary defensive action is to audit and harden any internet-facing services, ensuring they are not left in a default or publicly writable state. Specifically, Redis and similar data storage systems should be placed behind firewalls, require authentication, and have all non-essential network ports closed.

Network defenders should monitor for anomalous scanning activity originating from within their own infrastructure, as the worm seeks new cloud service targets. Unusual outbound connections on ports associated with Redis (6379) or other database services from non-server workstations could be an indicator of compromise. On the endpoint, security teams should look for processes attempting to read system locale and time zone settings followed immediately by aggressive file system overwrite operations.

While specific file hashes and domains for this campaign will evolve, behavioral detection rules are more durable. Security tools should be configured to alert on:

• Processes that perform system language/time zone checks and then immediately begin enumerating and writing to a high volume of files.
• Attempts to disable volume shadow copies or other backup restoration features, a common tactic in wiper malware.
• The creation or execution of suspicious binaries in temporary directories or from cloud storage mount points.

Organizations, especially those with any presence or connection to regions involved in geopolitical conflicts, should also consider deploying [canary files](canary files) in key directories to trigger alerts if files are unexpectedly modified or deleted. For more on analyzing wiper malware, review our guide on [malware analysis techniques](malware analysis techniques).

Key Takeaways — 3-5 bullet points summarising actions defenders should take

• Harden Internet-Facing Cloud Services Immediately: Conduct urgent audits of all publicly accessible cloud storage, database, and management interfaces (like Redis, AWS S3 buckets, Azure Blob Storage). Ensure they are not using default credentials, are configured with the principle of least privilege, and are not exposed to the entire internet unless absolutely necessary. This single step blocks the primary infection vector for the CanisterWorm.
• Implement Behavioral Detection for Wiper Activity: Beyond signature-based detection, deploy endpoint and network monitoring rules that look for the behavioral sequence of a wiper: system reconnaissance (checking locale/time), followed by mass file system writes or deletion, and attempts to disable backup or recovery mechanisms. This helps catch novel or updated wiper variants.
• Prepare Isolation and Recovery Protocols for Destructive Attacks: Assume a destructive attack can occur. Ensure robust, offline, and immutable backups are maintained and regularly tested. Have a clear incident response plan that includes the rapid network isolation of infected segments to prevent worm-like propagation, as seen with CanisterWorm.
• Heighten Vigilance Amid Geopolitical Tension: During periods of open geopolitical conflict, organizations—particularly in critical sectors like healthcare, energy, and technology—should be aware of increased risk from both state-aligned and opportunistic criminal actors. Threat intelligence feeds should be monitored for claims and tactics related to relevant adversary groups.