A new report out today from endpoint security firm Morphisec Inc. reveals the resurgence of Pay2Key, a ransomware operation with ties to Iran’s Fox Kitten advanced persistent threat group, now rebranded as Pay2Key.I2P.
Originally exposed in 2020, the updated threat actor is leveraging a ransomware-as-a-service model and incorporating techniques and components associated with the Mimic ransomware family, including a previously analyzed ELENOR-Corp variant. RaaS is a cybercrime business model that involves the developers of ransomware leasing their malware to affiliates, who then carry out attacks in exchange for a share of ransom payments.
The report warns that with a sharpened geopolitical agenda and a refined technical arsenal, Pay2Key.I2P poses an escalating risk to Western organizations.
The new operation, which is believed to have been active since February, has already amassed about $4 million in ransom payments from more than 50 successful attacks in just four months. Affiliates are incentivized through an 80% profit share, especially if targeting adversaries of Iran, blending financial motives with political ideology. Promotion of the campaign on Russian and Chinese dark net forums, as well as through a presence on the social site X, points to a carefully planned rollout.
Morphisec’s analysis of the malware has found that the group is using advanced evasion techniques. The attack chain begins with a 7-Zip self-extracting archive that runs a dual-compatible CMD and PowerShell loader script. This script then disables Microsoft Defender by creating a file-type exclusion for .exe files and deploys NoDefender, a tool designed to weaken endpoint security. The final stage involves executing enc-build.exe, a Themida-protected variant of Mimic ransomware, capable of indexing files and executing payloads stealthily.
Though initially targeting Windows installations, the operators behind Pay2Key.I2P expanded their capabilities with a Linux-compatible build in June, widening their potential target base. The group has also more recently introduced obfuscation techniques such as XOR encryption, decoy behaviors and anti-analysis checks aimed at evading sandboxes and dynamic analysis tools.
For affiliates, Pay2Key.I2P offers an online platform that includes a referral-based affiliate system, a ransomware builder, real-time profit dashboards and tools for victim communication.
Ransomware groups are a dime a dozen in 2025, but not all are ideologically motivated. “While profit is a motivator, Pay2Key.I2P’s ideological agenda is clear,” the report notes. “Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare.”
Image: SiliconANGLE/Reve
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
