Pay2Key’s Resurgence Iranian Cyber Warfare Targets the West

Overview

In the volatile aftermath of the Israel-Iran-USA conflict, a sophisticated cyber threat has re-emerged, targeting organizations across the West. Morphisec’s threat research team has uncovered the revival of Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation, now operating as Pay2Key.I2P. Linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware, previously analyzed by Morphisec for its ELENOR-Corp variant, Pay2Key.I2P appears to partner with or incorporate Mimic’s capabilities. Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment. With over $4 million in ransom payments collected in just four months and individual operators boasting $100,000 in profits, this campaign merges technical prowess with geopolitical motives. Our upcoming report includes personal communications from the group, revealing their dedication and the reasons behind rewriting their ransomware.

This blog introduces our technical analysis and OSINT findings, exposing Pay2Key.I2P’s operations and its ties to Mimic.

To read the complete article see: Morphisec Blog

Full research downloadable from here (NOT gated): Pay2Key Whitepaper