An Iranian-backed ransomware-as-a-service (RaaS) named Pay2Key has resurfaced within the wake of the Israel-Iran-U.S. battle final month, providing greater payouts to cybercriminals who launch assaults in opposition to Israel and the U.S.
The financially motivated scheme, now working underneath the moniker Pay2Key.I2P, is assessed to be linked to a hacking group tracked as Fox Kitten (aka Lemon Sandstorm).
“Linked to the infamous Fox Kitten APT group and intently tied to the well-known Mimic ransomware, […] Pay2Key.I2P seems to associate with or incorporate Mimic’s capabilities,” Morphisec safety researcher Ilia Kulmin stated.
“Formally, the group affords an 80% revenue share (up from 70%) to associates supporting Iran or taking part in assaults in opposition to the enemies of Iran, signaling their ideological dedication.”
Final yr, the U.S. authorities revealed the superior persistent menace’s (APT) modus operandi of finishing up ransomware assaults by covertly partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) crews.
Using Pay2Key by Iranian menace actors goes again to October 2020, with the assaults focusing on Israeli corporations by exploiting recognized safety vulnerabilities.
Pay2Key.I2P, per Morphisec, emerged on the scene in February 2025, claiming over 51 profitable ransom payouts in 4 months, netting it greater than $4 million in ransom funds and $100,000 in income for particular person operators.
Whereas their monetary motives are obvious and likely efficient, there may be additionally an underlying ideological agenda behind them: the marketing campaign seems to be a case of cyber warfare waged in opposition to targets in Israel and the U.S.
A notable facet of the newest variant of Pay2Key.I2P is that it is the first recognized RaaS platform to be hosted on the Invisible Web Challenge (I2P).
“Whereas some malware households have used I2P for [command-and-control] communication, this can be a step additional – a Ransomware-as-a-Service operation working its infrastructure immediately on I2P,” Swiss cybersecurity firm PRODAFT stated in a publish shared on X in March 2025. The publish was subsequently reposted by Pay2Key.I2P’s personal X account.
What’s extra, Pay2Key.I2P has noticed posting on a Russian darknet discussion board that allowed anybody to deploy the ransomware binary for a $20,000 payout per profitable assault, marking a shift in RaaS operations. The publish was made by a consumer named “Isreactive” on February 20, 2025.
“In contrast to conventional Ransomware-as-a-Service (RaaS) fashions, the place builders take a lower solely from promoting the ransomware, this mannequin permits them to seize the complete ransom from profitable assaults, solely sharing a portion with the attackers who deploy it,” Kulmin famous on the time.
“This shift strikes away from a easy tool-sale mannequin, making a extra decentralized ecosystem, the place ransomware builders earn from assault success fairly than simply from promoting the instrument.”
As of June 2025, the ransomware builder consists of an possibility to focus on Linux methods, indicating that the menace actors are actively refining and bettering the locker’s performance. The Home windows counterpart, however, is delivered as a Home windows executable inside a self-extracting (SFX) archive.
It additionally incorporates numerous evasion methods that permit it to run unimpeded by disabling Microsoft Defender Antivirus and deleting malicious artifacts deployed as a part of the assault to attenuate forensic path.
“Pay2Key.I2P represents a harmful convergence of Iranian state-sponsored cyber warfare and world cybercrime,” Morphisec stated. “With ties to Fox Kitten and Mimic, an 80% revenue incentive for Iran’s supporters, and over $4 million in ransoms, this RaaS operation threatens Western organizations with superior, evasive ransomware.”
The findings come because the U.S. cybersecurity and intelligence businesses have warned of retaliatory assaults by Iran after American airstrikes on three nuclear amenities within the nation.
Operational know-how (OT) safety firm Nozomi Networks stated it has noticed Iranian hacking teams like MuddyWater, APT33, OilRig, Cyber Av3ngers, Fox Kitten, and Homeland Justice focusing on transportation and manufacturing organizations within the U.S.
“Industrial and significant infrastructure organizations within the U.S. and overseas are urged to be vigilant and assessment their safety posture,” the corporate stated, including it detected 28 cyber assaults associated to Iranian menace actors between Could and June 2025.
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
