Threat Research

Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West

Morphisec
Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West

Pay2Key.I2P, an Iranian-backed ransomware-as-a-service linked to the Fox Kitten APT group and Mimic ransomware, has rapidly expanded its operations targeting Western organizations with ideological motives. The ransomware includes advanced evasion techniques and recently added Linux targeting, collecting over $4 million in ransom payments within four months. #Pay2Key.I2P #FoxKitten #MimicRansomware

Keypoints

  • Pay2Key.I2P emerged in February 2025 as a ransomware-as-a-service with an 80% profit share to affiliates supporting Iran or attacking its enemies.
  • The ransomware operation is linked to the Fox Kitten APT group and incorporates Mimic ransomware capabilities.
  • The campaign has made over 51 ransom payouts and amassed more than $4 million in four months.
  • The ransomware uses sophisticated evasion techniques including Windows Defender exclusion, registry tampering, and Themida protection.
  • The group operates on the I2P network with referral codes to track affiliates and offers a platform for custom ransomware creation and victim communication.
  • Recent updates include adding a Linux-targeted ransomware build and introducing anti-analysis checks against sandbox environments.
  • Operators actively advertise on Russian and Chinese darknet forums and maintain a presence on X (Twitter) since January 2025.

MITRE Techniques

  • [T1070] Indicator Removal on Host – The ransomware disables Microsoft Defender by creating exclusions for all “.exe” files and uses the “NoDefender” tool to tamper with registry and policy settings (‘…disguised copy of NoDefender — a tool that disables Microsoft Defender through registry and policy tampering…’).
  • [T1112] Modify Registry – Execution of powrprof.exe modifies registry keys to disable security tools (‘…renamed copy of NoDefender — a tool that disables Microsoft Defender through registry and policy tampering…’).
  • [T1053] Scheduled Task/Job – The setup script creates a scheduled task for postponed ransomware execution (‘…create a scheduled task for postponed execution of the ransomware…’).
  • [T1140] Deobfuscate/Decode Files or Information – The setup.cmd script uses XOR decryption to decode obfuscated PowerShell payloads (‘…defines a decoder function named encode. It performs an XOR decryption…’).
  • [T1486] Data Encrypted for Impact – The enc-build.exe Mimic ransomware encrypts victims’ files and displays a ransom note upon completion (‘…After successful ransomware execution, a ransom note will be created…’).
  • [T1059] Command and Scripting Interpreter – The ransomware uses a dual-interpretable setup script for CMD and PowerShell to execute payloads and bypass detection (‘…script is engineered to be dual-interpretable by both CMD and PowerShell…’).
  • [T1027] Obfuscated Files or Information – Payload components are encrypted, packed in .bin files, and patched with 7-Zip signatures to evade detection (‘…adds the correct 7-Zip signature header, allowing extraction tools to recognize and unpack it…’).
  • [T1204] User Execution – The ransomware payload is delivered as a self-extracting archive that requires execution by the user (‘…Payload is delivered as a Windows executable that functions as a 7-Zip Self-Extracting (SFX) archive…’).

Indicators of Compromise

  • [File Hashes] Payload and components – 7zip SFX Payload: 65BE56F46B2AA6BB64B9E560A083A77A80A1B5A459BCBA8D385AA62F8E7B153F; setup.cmd: 188C215FA32A445D7FFA90DC51C58BDD; enc-build.exe (Mimic ransomware): 791BB67FE91E9BD129607A94714E9E79A; powrprof.exe (“NoDefender”): A8BFA1389C49836264CFA31FC4410B88897A78D9C; and others.
  • [Domains] Command and control – gos-usa[.]xyz used by operators to drop files.

Read more: https://www.morphisec.com/blog/pay2key-resurgence-iranian-cyber-warfare/