The Iranian ransomware group Pay2Key.I2P has increased its attacks on U.S. and Israeli organizations while offering affiliates a larger share of the profits. This group is an evolution of the original Pay2Key and is believed to be linked to the Iran-affiliated APT group Fox Kitten. It now operates under a ransomware-as-a-service model.
Launched in February 2025, Pay2Key.I2P has expanded rapidly through promotion on Russian and Chinese darknet forums and activity on X. In just four months, the group has carried out over 51 successful ransom attacks. While profit is a key motivator, their ideological alignment with Iranian interests is evident. In June, they extended their campaign by introducing a Linux-compatible ransomware version, signaling a broader offensive strategy.
According to a report from cybersecurity firm Morphisec, “In the wake of ongoing tensions involving Israel, Iran, and the United States, a renewed cyber threat has surfaced, targeting Western organizations. Pay2Key has returned as a ransomware-as-a-service operation under the name Pay2Key.I2P.” The group is associated with Fox Kitten and shares similarities with Mimic ransomware, particularly its ELENOR-Corp variant, previously analyzed by Morphisec. Technical and OSINT investigations suggest that Pay2Key.I2P has either partnered with or integrated capabilities from the Mimic malware family.
To attract more collaborators, Pay2Key.I2P now offers affiliates an 80 percent profit share, up from 70 percent. The group claims to have earned over $4 million in ransom within four months, with some affiliates receiving as much as $100,000. Upcoming reports will include internal group chats and insights into the motives behind their latest malware revisions.
Morphisec’s research identified similarities between the ELENOR-Corp variant and Pay2Key.I2P’s ransomware component, “enc-build.exe.” The group deploys the malware using a sophisticated dual-format loader script (setup.cmd) embedded in a 7-Zip SFX archive. This script works in both CMD and PowerShell, making it harder to detect and block. It disables Microsoft Defender without triggering security alerts, uses XOR encryption to conceal payloads, and includes tools like 7za.exe and NoDefender.
A new version of the ransomware, active since March 2025, includes sandbox evasion, masked payloads, modular execution through task.ps1, and deceptive actions triggered by data5.bin. It is protected by the Themida packer and disguised as legitimate software such as Everything.exe, allowing it to remain hidden until it encrypts files and delivers the ransom note.
The report concludes that Pay2Key.I2P is a serious threat, combining state-backed cyber tactics with the criminal profit-driven model of ransomware-as-a-service. Its connections to Fox Kitten and Mimic, high affiliate payouts, and advanced technical capabilities make it a growing risk for Western organizations. Internal communications show the group is ideologically motivated and constantly evolving its tools to maximize damage.
In early July, U.S. cybersecurity and intelligence agencies issued a warning about increased cyber threats from Iranian state-linked actors. These groups often exploit unpatched software, known vulnerabilities, and weak or default passwords to compromise systems.
The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, Department of Defense Cyber Crime Center (DC3), and National Security Agency (NSA), urged organizations to stay alert for potential attacks targeting U.S. critical infrastructure. The agencies advised disconnecting operational technology systems from the internet, using strong passwords, keeping software updated, and enabling phishing-resistant multifactor authentication to bolster defenses.
Although a coordinated Iranian cyber campaign in the U.S. has not yet been confirmed, Iranian-affiliated hacktivist groups have stepped up defacement and data leak efforts. Officials expect further increases in DDoS and ransomware activity aimed at U.S. and Israeli targets.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
