CanisterWorm unleashes data‑wiping attack on Iranian ministries and energy sector

KrebsOnSecurity confirmed that the CanisterWorm wiper has been activated against multiple Iranian government ministries and state‑owned energy companies. The payload encrypts files, overwrites critical system data, and then deletes itself, rendering infected hosts inoperable. It incorporates sophisticated evasion techniques, including checks for sandbox or analysis environments and a delayed execution timer designed to extend its presence before triggering the destructive phase.

The attack has already caused widespread data loss and halted critical services, raising the risk of cascading failures across energy distribution and public administration functions. Defenders worldwide should update detection rules to flag CanisterWorm’s unique indicators—such as its specific file‑less dropper, delayed payload activation patterns, and the use of custom encryption routines—to prevent spillover or copycat attacks and to strengthen incident response capabilities.

Categories: Malware & Ransomware, Threat Intelligence

Source: Read original article