Pay2Key Ransomware Returns With New Political Targets and Lucrative Payouts

Listen to this Post

Featured Image

A New Cyber Offensive Fueled by Ideological Warfare

The Pay2Key ransomware gang, a group with documented ties to Iranian state-sponsored hackers, has made a forceful return to the cyber threat landscape. While previously considered a secondary player among ransomware-as-a-service (RaaS) operators, Pay2Key is now repositioning itself with sharper objectives, more aggressive tactics, and significantly increased financial incentives for its affiliates.

This resurgence is not just about money—it’s rooted in geopolitical strategy. The group has publicly announced an affiliate reward boost to 80% for attacks targeting Western adversaries, specifically the U.S. and Israel. Analysts are sounding the alarm, citing these developments as a sign of nation-state-driven cyber warfare that blends crime with ideology.

the Original

Pay2Key, first identified in 2020, is a ransomware group tied to the Iranian advanced persistent threat group known as Fox Kitten (UNC757). It gained initial attention for cyberattacks and data leaks targeting Israeli organizations. After a period of inactivity, it has now reemerged with a rebranded ransomware variant—Pay2Ket.I2P—and a shift in strategic direction.

According to a report by Morphisec Labs, Pay2Key is now offering affiliates 80% of any ransom payments for attacks focused on Israel and the United States. The group uses the I2P network, a less commonly monitored alternative to Tor, to host its ransom portals and facilitate communication, making detection and takedown more difficult.

The resurgence of Pay2Key has been accompanied by a coordinated marketing campaign on Russian and Chinese dark web forums, indicating a professional relaunch with a multistage rollout. Over the past four months alone, the group has successfully extorted over \$4 million across 51 incidents. They also unveiled a new Linux-compatible ransomware build, widening their attack surface to include enterprise infrastructure.

Morphisec’s researchers note that the gang is not just motivated by financial gain but also by political ideology. Private chats with a Pay2Key member revealed a desire to inflict damage on countries considered hostile to Iran, while still avoiding direct violations of diplomatic ceasefires.

From a technical standpoint, the ransomware uses an obfuscated PowerShell script in its initial executable to disable Windows Defender for all .exe files—effectively blinding system defenses without raising alerts. Indicators of compromise (IoCs), C2 domains, and technical fingerprints have been made public to help defenders identify and mitigate future attacks.

What Undercode Say:

The resurgence of Pay2Key isn’t just another chapter in the ransomware saga—it’s a convergence of digital crime and international conflict. What sets this group apart is not only its improved toolset or profit-sharing structure but its ideological bent. Unlike purely criminal syndicates chasing profits, Pay2Key operates with geopolitical intent.

The 80% affiliate profit split, while not unprecedented in the RaaS market, is a smart recruitment tactic. It taps into a pool of cybercriminals willing to overlook political implications in exchange for high payouts. Moreover, Pay2Key’s deliberate use of the I2P network, over the more commonly used Tor, indicates a strategic move to avoid surveillance and complicate law enforcement tracking. It reflects an evolution in cyber threat architecture, one that leans toward resilience and evasion.

The introduction of a Linux-targeted variant is particularly alarming. While most ransomware attacks focus on Windows environments, Linux systems often underpin critical infrastructure—cloud services, servers, network appliances. By expanding into Linux, Pay2Key is aiming for deeper disruption, potentially crippling entire enterprise ecosystems.

The

Security vendors and international agencies must treat Pay2Key not just as another ransomware group but as a proxy actor in global cyber conflict. The indicators of compromise released by Morphisec are valuable, but prevention will require more than just reactive defenses. Organizations—especially in the U.S. and Israel—must harden their systems, enhance detection capabilities for Linux platforms, and proactively simulate and prepare for nation-state style attacks.

In summary, Pay2Key’s evolution from a fringe player to a geopolitically motivated threat actor should be a wake-up call. The threat landscape is shifting from monetization to militarization. And this may just be the beginning.

🔍 Fact Checker Results:

✅ Verified: Pay2Key is tied to Iranian threat actor Fox Kitten (UNC757).
✅ Verified: Affiliate revenue share was increased to 80% for targeting U.S. and Israeli entities.
✅ Verified: The ransomware now includes a Linux-targeting payload, confirmed by Morphisec Labs.

📊 Prediction:

Given the increased ideological drive and advanced tactics shown by Pay2Key, we predict an escalation in politically motivated ransomware attacks targeting Western critical infrastructure, especially in sectors like energy, defense, and public services. Expect more attacks over I2P, and a growing trend of ransomware gangs aligning with geopolitical actors to justify their operations and expand their recruitment.

References:

Reported By: www.darkreading.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin