A new report out today from endpoint security firm Morphisec Inc. reveals the resurgence of Pay2Key, a ransomware operation with ties to Iran’s Fox Kitten advanced persistent threat group, now rebranded as Pay2Key.I2P.

Originally exposed in 2020, the updated threat actor is leveraging a ransomware-as-a-service model and incorporating techniques and components associated with the Mimic ransomware family, including a previously analyzed ELENOR-Corp variant. RaaS is a cybercrime business model that involves the developers of ransomware leasing their malware to affiliates, who then carry out attacks in exchange for a share of ransom payments.

The report warns that with a sharpened geopolitical agenda and a refined technical arsenal, Pay2Key.I2P poses an escalating risk to Western organizations.

The new operation, which is believed to have been active since February, has already amassed about $4 million in ransom payments from more than 50 successful attacks in just four months. Affiliates are incentivized through an 80% profit share, especially if targeting adversaries of Iran, blending financial motives with political ideology. Promotion of the campaign on Russian and Chinese dark net forums, as well as through a presence on the social site X, points to a carefully planned rollout.

Morphisec’s analysis of the malware has found that the group is using advanced evasion techniques. The attack chain begins with a 7-Zip self-extracting archive that runs a dual-compatible CMD and PowerShell loader script. This script then disables Microsoft Defender by creating a file-type exclusion for .exe files and deploys NoDefender, a tool designed to weaken endpoint security. The final stage involves executing enc-build.exe, a Themida-protected variant of Mimic ransomware, capable of indexing files and executing payloads stealthily.

Though initially targeting Windows installations, the operators behind Pay2Key.I2P expanded their capabilities with a Linux-compatible build in June, widening their potential target base. The group has also more recently introduced obfuscation techniques such as XOR encryption, decoy behaviors and anti-analysis checks aimed at evading sandboxes and dynamic analysis tools.

For affiliates, Pay2Key.I2P offers an online platform that includes a referral-based affiliate system, a ransomware builder, real-time profit dashboards and tools for victim communication.

Ransomware groups are a dime a dozen in 2025, but not all are ideologically motivated. “While profit is a motivator, Pay2Key.I2P’s ideological agenda is clear,” the report notes. “Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare.”

Image: SiliconANGLE/Reve