Ethical Hacking News
The Iranian group Pay2Key.I2P has been ramping up its ransomware attacks on Israel and the US with incentives for affiliates, threatening Western organizations with sophisticated attacks. With ties to Fox Kitten and Mimic, this group offers a 80% profit share to support attacks aligned with Iran's interests. As geopolitical tensions fuel such threats, it's essential for organizations to take proactive steps to protect themselves against these attacks.
Pay2Key.I2P is an Iranian-backed ransomware-as-a-service operation linked to the Fox Kitten APT group and Mimic ransomware. The group claims over $4 million in ransoms in four months, with affiliates earning up to $100,000 each. Pay2Key.I2P offers affiliates an 80% profit share to support attacks aligned with Iran's interests. The group uses sophisticated tactics, including a complex loader script and sandbox evasion checks. Pay2Key.I2P has expanded its reach with a Linux version of their ransomware, targeting Western organizations. Proactive defense is essential to stop this group; organizations should strengthen their defenses against ransomware attacks.
Iranian group Pay2Key.I2P ramps up ransomware attacks against Israel and US with incentives for affiliates.
The world of cybercrime is always evolving, with new threats emerging every day. In recent weeks, a group of hackers known as Pay2Key.I2P has been making headlines for their relentless attacks on Western targets. The Iranian-backed ransomware-as-a-service operation has been linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware.
According to cybersecurity firm Morphisec, Pay2Key.I2P appears to partner with or incorporate Mimic's capabilities. This partnership has resulted in a significant increase in the group's ability to launch sophisticated attacks against its victims. The group claims over $4 million in ransoms in four months, with some affiliates earning $100,000 each.
But what makes Pay2Key.I2P so dangerous? For starters, the group offers affiliates an 80% profit share, up from 70%, to support attacks aligned with Iran's interests. This not only drives the group's motivation but also provides a clear connection to the Iranian government's cyber warfare efforts.
The group's tactics are equally as sophisticated. Pay2Key.I2P uses a complex, dual-format loader script embedded in a 7-Zip SFX archive to evade detection and deliver Mimic ransomware. The script is crafted to run in both CMD and PowerShell, enabling layered obfuscation and AV evasion. It disables Microsoft Defender without triggering anti-tampering, uses XOR-encrypted payloads, and loads tools like 7za.exe and NoDefender.
But what's even more alarming is the group's ability to adapt and evolve. A new version used from March 2025, includes sandbox evasion checks, a helper function to mask payload formats, modular execution via task.ps1, and optional deceptive behavior triggered by data5.bin. This level of sophistication suggests that Pay2Key.I2P has access to advanced tools and resources.
The group's ideological ties to Iran are also clear, with a focus on Western targets. In June, they expanded their reach with a Linux version of their ransomware, broadening the scope of their cyberwarfare campaign. This move is seen as a direct response to the conflict between Israel and Iran, with Pay2Key.I2P seeking to assert its dominance in the global cyber landscape.
But what can be done to stop this group? According to Morphisec, proactive defense is essential. The firm recommends that organizations take immediate action to strengthen their defenses against ransomware attacks. This includes disconnecting OT and industrial control systems from the internet, using strong passwords, applying software updates, and enabling phishing-resistant multifactor authentication.
The US cybersecurity and intelligence agencies have also warned of rising cyber threats from Iranian state-linked hackers, expected to escalate. These actors typically exploit outdated software, known vulnerabilities, and weak or default passwords on internet-connected systems.
In light of this growing threat, it's clear that Pay2Key.I2P is a force to be reckoned with in the world of cybercrime. Their ability to adapt, evolve, and partner with other groups makes them a significant threat to Western organizations. As geopolitical tensions fuel such threats, it's essential for organizations to take proactive steps to protect themselves against these attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Campaigns-on-the-Rise-The-Iranian-Connection-ehn.shtml
https://securityaffairs.com/179754/malware/iranian-group-pay2key-i2p-ramps-up-ransomware-attacks-against-israel-and-us-with-incentives-for-affiliates.html
Published: Wed Jul 9 08:21:06 2025 by llama3.2 3B Q4_K_M
