Pay2Key.I2P Ransomware

In the wake of escalating tensions between Iran, Israel, and the U.S., a sophisticated Ransomware-as-a-Service (RaaS) operation named Pay2Key.I2P has reemerged. Backed by Iranian interests, this financially motivated yet ideologically driven campaign offers heightened incentives for cybercriminals targeting Israel and the United States. The updated variant has introduced new infrastructure tactics and expanded its target capabilities, marking a concerning evolution in the ransomware landscape.

A Familiar Threat with a New Face

First linked to attacks in October 2020, Pay2Key has long been associated with Iranian state-sponsored operations. Its latest incarnation, Pay2Key.I2P, is believed to be connected to Fox Kitten (also known as Lemon Sandstorm), a known advanced persistent threat (APT) group. Notably, this campaign is believed to leverage or incorporate features from the Mimic ransomware, adding to its sophistication.

The updated RaaS model now offers an 80% profit share, an increase from the previous 70%, specifically to affiliates aligned with Iranian interests or those willing to conduct attacks against Iran's adversaries. This shift demonstrates a clear blend of financial and ideological motivations.

The Rise of the I2P-Based RaaS Platform

What sets Pay2Key.I2P apart is its use of the Invisible Internet Project (I2P) for hosting its entire infrastructure. While some malware families have utilized I2P for Command-and-Control (C2) functions, Pay2Key.I2P is the first known RaaS operation to run fully within this anonymized network. This adds a layer of stealth and resilience that complicates takedown efforts by law enforcement.

In February 2025, the group claimed over 51 successful ransom payments, generating more than $4 million in total revenue, with individual operators earning as much as $100,000. These numbers underscore the scale and success of the operation within a short timeframe.

A particularly notable event occurred on February 20, 2025, when a darknet user going by the alias 'Isreactive' advertised the ransomware on a Russian cybercrime forum. The post allowed anyone to deploy the binary for a $20,000 payout per successful attack, ushering in a shift in RaaS dynamics by enabling broader participation and greater revenue capture for developers.

Technical Advancements and Stealth Capabilities

Pay2Key.I2P demonstrates constant refinement, with the ransomware builder gaining Linux targeting capabilities as of June 2025. Its Windows variant is distributed as an executable within a self-extracting (SFX) archive, using advanced techniques to bypass detection.

Some key features include:

• Disabling Microsoft Defender Antivirus during execution
• Erasing malicious artifacts to reduce the forensic footprint

Using disguised payloads, such as executable files masquerading as Microsoft Word documents, which then trigger cmd scripts to begin the encryption process and drop ransom notes

These stealthy behaviors make detection and remediation significantly more difficult for defenders.

A Broader Threat Landscape and Strategic Implications

Pay2Key.I2P is more than just a criminal enterprise; it represents a cyber warfare front that is aligned with the interests of the Iranian state. Its ideological underpinnings are evident through its targeted payout incentives and strategic victim selection.

This threat is unfolding against a backdrop of heightened geopolitical tensions. Following American airstrikes on Iranian nuclear facilities, U.S. intelligence agencies have issued warnings about possible retaliatory cyberattacks. Between May and June 2025, researchers recorded 28 Iranian-attributed cyber attacks, primarily focused on the U.S. transportation and manufacturing sectors.

Prominent Iranian APT groups behind these campaigns include:

• MuddyWater
• APT33
• OilRig
• Cyber Av3ngers
• Fox Kitten
• Homeland Justice

These actors are increasingly targeting industrial and critical infrastructure in both the U.S. and allied nations, emphasizing the urgent need for improved cybersecurity defenses.

Conclusion: Prepare for an Evolving Threat

Pay2Key.I2P is a stark reminder of how ransomware threats are evolving into tools of geopolitical influence and cyber warfare. With technical sophistication, high affiliate rewards, and ideological motivations, this campaign is not just about money, it's about power and disruption. Organizations, especially those in critical sectors, must remain vigilant, ensure system vulnerabilities are patched, and implement proactive defense strategies to combat this emerging menace.