In the aftermath of the recent Israel-Iran-U.S. conflict, a sophisticated cyber threat has re-emerged, targeting organizations across the West. Morphisec’s threat research team has uncovered the revival of Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation, now operating as Pay2Key.I2P. This operation is linked to the notorious Fox Kitten Advanced Persistent Threat (APT) group and closely tied to the well-known Mimic ransomware. Pay2Key.I2P appears to partner with or incorporate Mimic’s capabilities. Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment. With over $4 million in ransom payments collected in just four months and individual operators boasting $100,000 in profits, this campaign merges technical prowess with geopolitical motives. Our upcoming report includes personal communications from the group, revealing their dedication and the reasons behind rewriting their ransomware.
Since its debut in February 2025, Pay2Key.I2P has expanded rapidly. Strategic marketing on Russian and Chinese darknet forums, combined with a presence on X since January 2025, indicates a planned rollout. With over 51 successful ransom payouts in four months, the group’s effectiveness is undeniable.
While profit is a motivator, Pay2Key.I2P’s ideological agenda is clear. Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare. The addition of a Linux-targeted ransomware build in June 2025 further expands their attack surface, threatening diverse systems.
This overview is just the start. Our Pay2Key.I2P Threat Report provides an in-depth look at the group’s operations, including:
– OSINT Insights: Tracking aliases, referral codes, and darknet activities.
– Technical Analysis: Detailed breakdown of the ransomware builder, payloads, and evasion techniques.
– Mimic Connection: Evidence of collaboration with the Mimic ransomware.
– Strategic Implications: The broader impact on Western cybersecurity.
Download the full report here to arm your organization against this escalating threat.
