pay2key

Pay2Key is an Iran-linked ransomware operation active since 2020 and described in the reporting as aligned with Iranian state interests, with ties to the Iranian government and to the Iranian state-sponsored group Fox Kitten (UNC757). It has been characterized as a ransomware-as-a-service (RaaS) operation and as an Iranian state-backed ransomware operation. Reporting also notes recruitment of affiliates on Russian cybercriminal forums, marketing on Russian and Chinese dark web forums, possible ties to Russian-speaking threat actors, and uncertainty around ownership and operational control after the group reportedly attempted to sell the operation in late 2025. Historically, Pay2Key was associated with attacks on Israeli organizations, including hack-and-leak and data-wiping activity. More recent reporting says the group shifted toward Western targets and offered increased affiliate revenue share for attacks against "the enemies of Iran," particularly the United States and Israel. In late February 2026, Pay2Key targeted a U.S. healthcare organization. Halcyon and Beazley Security reported the actors had compromised an administrative account, remained in the environment for several days, used TeamViewer for interactive access, harvested credentials with Mimikatz, LaZagne, and ExtPassword, performed network discovery with tools including Advanced IP Scanner and a tool believed to be NetScan, interacted with Active Directory via dsa.msc, enumerated backup software, disabled Microsoft Defender using a "No Defender" toolkit, inhibited recovery, deployed ransomware through a self-extracting 7zip archive named abc.exe, encrypted the environment in about three hours, and cleared logs afterward. Multiple reports state no evidence of data exfiltration was found in that incident, and researchers assessed the operation appeared more destructive than financially motivated. Pay2Key has been reported to use enhanced evasion, execution, anti-forensics, and anti-detection capabilities in newer variants. Reporting also describes a Linux variant, Pay2Key.I2, first detected in the wild in late August 2025, targeting organizational servers, virtualization hosts, and cloud workloads. That Linux build reportedly requires root privileges, disables SELinux and AppArmor, kills services and processes, persists via cron, enumerates mounted filesystems, and uses ChaCha20 encryption. Separate analysis of a January 2026 Windows build described it as Mimic/Conti-derived, delivered in a self-extracting 7z archive, using Everything APIs for file enumeration, Restart Manager for file unlocking, and ChaCha20 plus Curve25519-based key protection. The content also states Pay2Key has targeted organizations in the United States, Israel, Azerbaijan, and the United Arab Emirates. Known aliases and related names directly mentioned in the content include Pay2Key.I2, Pay2Key.I2P, and Fox Kitten (UNC757) as a linked Iranian threat group.