Iranian Ransomware “Pay2Key.I2P” Resurfaces on I2P Network, Offering 80% Profit for Targeting Western Enemies

In the shadow of geopolitical tensions among Iran, Israel, and the United States, an ominous threat has resurfaced in the global cybersecurity landscape. The Iranian-backed ransomware-as-a-service (RaaS) operation Pay2Key, now rebranded as Pay2Key.I2P, is actively targeting Western organizations in a campaign that blends ideological motives with advanced technical sophistication.

Morphisec reveals that Pay2Key.I2P is “linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware,” building upon the ELENOR-Corp variant previously analyzed. This new operation not only signals a technical evolution but also a strong ideological motivation.

The group reportedly offers affiliates a generous 80% profit share—an increase from the typical 70%—for carrying out attacks against perceived enemies of Iran. “With over $4 million in ransom payments collected in just four months and individual operators boasting $100,000 in profits, this campaign merges technical prowess with geopolitical motives,” the report notes.

The campaign is underpinned by a sophisticated platform hosted on the I2P anonymizing network, complete with referral codes, earnings calculators, a dashboard for affiliates, and ransomware builders. Operators are recruited from Russian and Chinese darknet forums, using promotional materials and updates to maintain engagement. According to the report, the site displays “promotional material that describes the platform’s capabilities and the advantages of joining.”

Screenshots shared by the actors include proof of payouts and transaction histories—visual cues designed to build trust among cybercriminal collaborators. A notable message from the threat actor claims that “Pay2Key.I2P has made over $4 million and over 50 successfully conducted ransom payouts… in 4 months.”

June 2025 marked a critical turning point when the group unveiled a Linux-compatible build, signaling a broadened attack surface and versatility in targeting enterprise environments. But perhaps more disturbing is the group’s ideological posture.

The report states: “The group is offering favorable percentage for anyone engaged in an attack against the enemies of Iran.” This blurs the line between cybercrime and cyber warfare, with operators actively encouraged to serve nationalistic objectives.

The ransomware payload is delivered through a 7-Zip Self-Extracting archive, containing obfuscated PowerShell scripts, encrypted binaries, and anti-analysis mechanisms. One highlight is a component dubbed “powrprof.exe”, a disguised version of the NoDefender tool used to disable Microsoft Defender stealthily.

Morphisec explains: “This command excludes the scanning of executables… effectively creating a blind spot for all future stages of the infection chain.” Another addition is the “Time Bomb” persistence module, which allows delayed ransomware execution via scheduled tasks.

The final payload, “enc-build.exe”, is a Themida-protected version of the Mimic ransomware, delivering both encryption and stealth in one package. After launching, the script self-destructs to minimize forensic traces.

In its conclusion, Morphisec warns: “Pay2Key.I2P represents a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime. With ties to Fox Kitten and Mimic, an 80% profit incentive for Iran’s supporters, and over $4 million in ransoms, this RaaS operation threatens Western organizations with advanced, evasive ransomware.”

Related Posts:

• TIDRONE: The Unseen Cyberespionage Threat Targeting Taiwan’s Military and Satellite Industries
• Python Developers Beware: Attackers Sneak Malware into Popular Package Manager
• Iranian APT hacker organisation falsifies Israeli security companies official website to implement phishing activities
• STAC6451: A Threat Group Targeting Indian Organizations with Mimic Ransomware
• Iranian Cyber Group Imperial Kitten Attacks Middle East