An Iranian-backed ransomware-as-a-service (RaaS) named Pay2Key has resurfaced within the wake of the Israel-Iran-U.S. battle final month, providing larger payouts to cybercriminals who launch assaults in opposition to Israel and the U.S.
The financially motivated scheme, now working beneath the moniker Pay2Key.I2P, is assessed to be linked to a hacking group tracked as Fox Kitten (aka Lemon Sandstorm).
“Linked to the infamous Fox Kitten APT group and carefully tied to the well-known Mimic ransomware, […] Pay2Key.I2P seems to accomplice with or incorporate Mimic’s capabilities,” Morphisec safety researcher Ilia Kulmin mentioned.
“Formally, the group affords an 80% revenue share (up from 70%) to associates supporting Iran or collaborating in assaults in opposition to the enemies of Iran, signaling their ideological dedication.”
Final yr, the U.S. authorities revealed the superior persistent risk’s (APT) modus operandi of finishing up ransomware assaults by covertly partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) crews.
The usage of Pay2Key by Iranian risk actors goes again to October 2020, with the assaults focusing on Israeli firms by exploiting recognized safety vulnerabilities.
Pay2Key.I2P, per Morphisec, emerged on the scene in February 2025, claiming over 51 profitable ransom payouts in 4 months, netting it greater than $4 million in ransom funds and $100,000 in earnings for particular person operators.
Whereas their monetary motives are obvious and probably efficient, there’s additionally an underlying ideological agenda behind them: the marketing campaign seems to be a case of cyber warfare waged in opposition to targets in Israel and the U.S.
A notable side of the newest variant of Pay2Key.I2P is that it is the first recognized RaaS platform to be hosted on the Invisible Web Undertaking (I2P).
“Whereas some malware households have used I2P for [command-and-control] communication, it is a step additional – a Ransomware-as-a-Service operation working its infrastructure instantly on I2P,” Swiss cybersecurity firm PRODAFT mentioned in a put up shared on X in March 2025. The put up was subsequently reposted by Pay2Key.I2P’s personal X account.
What’s extra, Pay2Key.I2P has noticed posting on a Russian darknet discussion board that allowed anybody to deploy the ransomware binary for a $20,000 payout per profitable assault, marking a shift in RaaS operations. The put up was made by a consumer named “Isreactive” on February 20, 2025.
“Not like conventional Ransomware-as-a-Service (RaaS) fashions, the place builders take a lower solely from promoting the ransomware, this mannequin permits them to seize the complete ransom from profitable assaults, solely sharing a portion with the attackers who deploy it,” Kulmin famous on the time.
“This shift strikes away from a easy tool-sale mannequin, making a extra decentralized ecosystem, the place ransomware builders earn from assault success moderately than simply from promoting the software.”
As of June 2025, the ransomware builder contains an choice to focus on Linux programs, indicating that the risk actors are actively refining and bettering the locker’s performance. The Home windows counterpart, however, is delivered as a Home windows executable inside a self-extracting (SFX) archive.
It additionally incorporates numerous evasion methods that permit it to run unimpeded by disabling Microsoft Defender Antivirus and deleting malicious artifacts deployed as a part of the assault to reduce forensic path.
“Pay2Key.I2P represents a harmful convergence of Iranian state-sponsored cyber warfare and international cybercrime,” Morphisec mentioned. “With ties to Fox Kitten and Mimic, an 80% revenue incentive for Iran’s supporters, and over $4 million in ransoms, this RaaS operation threatens Western organizations with superior, evasive ransomware.”
The findings come because the U.S. cybersecurity and intelligence businesses have warned of retaliatory assaults by Iran after American airstrikes on three nuclear amenities within the nation.
Operational know-how (OT) safety firm Nozomi Networks mentioned it has noticed Iranian hacking teams like MuddyWater, APT33, OilRig, Cyber Av3ngers, Fox Kitten, and Homeland Justice focusing on transportation and manufacturing organizations within the U.S.
“Industrial and demanding infrastructure organizations within the U.S. and overseas are urged to be vigilant and assessment their safety posture,” the corporate mentioned, including it detected 28 cyber assaults associated to Iranian risk actors between Might and June 2025.
