Iran-backed ransomware (RAAS) named Pay2key resurfaces in the wake of Israel-Iran-US conflict last month, offering bigger payments to Cybercriminals launching attacks against Israel and the US
The financially motivated scheme currently operating under Moniker Pay2key.i2p is rated as linked to a hacking group tracked as Fox Kitten (aka Lemon Sandstorm).
“Linking to the infamous fox kitten apt group and closely tied to well-known mimic ransomware (…) Pay2key.i2p appears to be affiliated or incorporated with Mimic’s capabilities.”
“Officially, the group offers an 80% profit share (up from 70%) to Iranian-backed affiliates, or participates in attacks against Iranian enemies, demonstrating ideological commitment.”
Last year, the US government revealed a highly permanent threat (APT) operation of carrying out ransomware attacks by secretly partnering with Noescape, Ransomhouse and Blackcat (also known as Alphv).
The use of Pay2key by Iranian threat actors dates back to October 2020, targeting Israeli companies by leveraging known security vulnerabilities.
Pay2key.i2p per Morphisec appeared on the scene in February 2025, successfully paying more than 51 ransoms in four months, earning more than $4 million ransom payments and earning $100,000 for individual operators.
Their financial motivations are clear and undoubtedly effective, but there is also a fundamental ideological agenda behind them. The campaign looks like an example of a cyber warfare unfolding against Israeli and US targets
A notable aspect of the latest variant of Pay2key.i2p is that it is the first known RAAS platform hosted on the Invisible Internet Project (I2P).
“Some malware families use I2P for (command and control) communication, but this is a step further. It’s a ransomware assurance service operation that runs the infrastructure directly on I2P,” Swiss Cybersecurity Company Prodaft said in a post shared on X in March 2025.
Additionally, Pay2key.i2p observed that it marks a shift in RAAS operations and posts to the Russian Darknet Forum, which allows anyone to deploy ransomware binaries with a payment of $20,000 for each successful attack. This post was created on February 20, 2025 by a user named “IsReactive.”
“Unlike traditional ransomware (RAAS) models, where developers reduce by reducing only from ransomware sales, this model allows them to share only with the attacker who successfully attacks, and share some with the attacker who deploys it,” says Kurmin.
“This shift moves away from the simple tool sale model and creates a more distributed ecosystem. Ransomware developers get from the success of their attacks, not from the sale of the tool.”
As of June 2025, ransomware builders include the option to target Linux systems, indicating that threat actors are actively improving and improving the functionality of their lockers. Meanwhile, the counterparts in Windows are delivered as Windows executables in Self-Extract (SFX) archives.
It also incorporates a variety of evasion techniques that can be performed without hindering by disabling Microsoft Defender Antivirus and removing malicious artifacts deployed as part of the attack and minimizing forensic trails.
Alternative infection sequences utilize portable executables intended to turn Microsoft Word documents into Microsoft Word documents as their starting point, according to Sonicwall Capture Labs, and then launch the CMD file to run the encryption process and drop ransom notes.
“Pay2key.i2p represents the dangerous convergence of Iran’s state-sponsored cyberwarfare and global cybercrime,” Morfisek said. “The Raas operation, which has a connection with Fox Kitten and Mimic, an 80% profit incentive for Iranian supporters and has a ransom of over $4 million, threatens Western organizations with highly evasive ransomware.”
The findings come when the US Cybersecurity and Intelligence Agency warned about Iran’s retaliatory attacks following US airstrikes at three nuclear facilities across the country.
Operations Technology (OT) security company Nozomi Networks said Iranian hacking groups such as Muddywater, Apt33, Oilrig, Cyber Av3ngers, Fox Kitten and Homeland Justice have been observed targeting US transport and manufacturing organizations.
“Industrial and critical infrastructure organizations in the US and overseas are being urged to be vigilant and consider their security stance,” the company said, adding that it had detected 28 cyberattacks involving Iranian threat actors between May and June 2025.
