Full Report
The Iran-linked ransomware-as-a-service group Pay2Key.I2P reportedly told affiliates that they can keep a larger cut of extortion payments if they attack entities within Iran's adversaries.
Analysis Summary
# Threat Actor: Pay2Key.I2P
## Attribution & Identity
* **Identification:** Iranian ransomware group operating a Ransomware-as-a-Service (RaaS) model.
* **Known Aliases/Associations:** Believed to be a successor to the original **Pay2Key** operation, which has been linked to Iran’s state-backed hacking group **Fox Kitten**.
## Activity Summary
The group has recently ramped up operations amidst heightened Middle East tensions. They are actively recruiting affiliates on Russian-speaking hacker forums on the promise of larger profit shares for targeting adversaries of Iran. The group claims to have collected over \$4 million in payments in the past four months (leading up to July 2025). They claim to have conducted over 50 successful attacks by late June 2025.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS):** Operating a RaaS model to incentivize external affiliates.
* **Financial Incentive:** Increased affiliate payout share (from 70% to 80%) specifically for successful attacks against Iran's state adversaries (Israel and the U.S.).
* **Tooling Collaboration:** Believed to collaborate with operators of the **Mimic ransomware**, which utilizes code from the defunct **Conti** gang.
* **Recruitment:** Actively recruiting members on Russian-speaking hacker forums.
* **Historical Context:** Successor to a group linked to state espionage activities by Fox Kitten.
## Targeting
* **Sectors:** Not explicitly detailed, but their primary focus is on geopolitical adversaries.
* **Geography:** Explicitly prioritizing attacks against **Israel** and the **U.S.** (as adversaries of Iran). Previous activity linked to Fox Kitten targeted entities in the U.S., Israel, Azerbaijan, and the UAE.
* **Victims:** Over 50 successful attacks claimed by affiliates, though specific victims in the targeted countries are not detailed in this summary.
## Tools & Infrastructure
* **Malware Families Used:**
* **Mimic ransomware** (utilizing Conti code).
* **Infrastructure:** Recruitment conducted on darknet forums and Russian-speaking hacker forums. (No specific C2 infrastructure or IPs were provided in the text).
## Implications
The group blends financial motivation with ideological/state-aligned objectives, presenting a significant threat to Western allies, particularly the U.S. and Israel, especially given current geopolitical tensions (referenced by the U.S. warnings regarding retaliation following an airstrike on Iranian nuclear facilities). Their RaaS model and increased payouts suggest an imminent scaling of aggressive campaigns targeting politically sensitive entities.
## Mitigations
* Heightened defense/vigilance is critical for organizations in the U.S. and Israel.
* Monitor for indicators related to the Mimic ransomware or Conti-derived tooling.
* Monitor darknet and Russian-speaking hacker forums for recruitment attempts or operational chatter related to Pay2Key.I2P.