Pay2Key, the RaaS gang linked to an Iranian nation-state threat group, is undergoing internal changes — and experts warn it could pose new dangers to the United States.
Pay2Key, a lesser-known ransomware-as-a-service gang that emerged in 2020, made headlines for targeting Israeli organizations in hack-and-leak attacks. Over time, it has been connected to Iran’s Fox Kitten (UNC757) threat group by both cybersecurity experts and U.S. authorities.
Pay2Key has reappeared with renewed purpose, now encouraging ransomware attacks on Western targets and upping affiliate rewards to 80% for hitting those deemed hostile to Iran, says a new Morphisec Labs report.
"Their focus on Western targets, coupled with rhetoric tied to Iran's geopolitical stance, positions this campaign as a tool of cyber warfare," the researchers wrote. "The addition of a Linux-targeted ransomware build in June 2025 further expands their attack surface, threatening diverse systems."
Pay2Key Ransomware Gang Raises Affiliate Profit Share Amid Renewed Activity
According to Morphisec, the RaaS group has returned with a new variant, Pay2Ket.I2P, rapidly gaining traction across the threat landscape. Unlike others, it uses the I2P network — not Tor — for ransom portals and victim communications, as noted by SonicWall (https://www.sonicwall.com/blog/pay2key-first-ransomware-utilizing-i2p-network-instead-of-tor).
In February, Pay2Key launched a coordinated marketing push on Russian and Chinese dark web forums, promoting its new ransomware variant. Morphisec researchers say the campaign and branding efforts point to a carefully planned multistage launch.
Communications obtained by Morphisec Labs show Pay2Key offering affiliates 80% shares of ransom payments for targeting Israel and the U.S., while stressing their operations are anonymous enough to avoid implicating Iran or violating ceasefire conditions.
It's unclear whether Pay2Key’s 80% profit-share will attract affiliates, as other ransomware gangs, like BlackCat, have previously offered up to 90%, according to a 2022 MS-ISAC report.
In its latest threat report, Morphisec provided indicators of compromise tied to Pay2Key.I2P, including command-and-control details and payload signatures. Notably, the initial malware uses an obfuscated PowerShell script to silently exclude “.exe” files from Windows Defender, enabling further payload deployment without tripping anti-tampering mechanisms.