A new wave of ransomware attacks has emerged under the name Pay2Key.I2P, targeting organizations in Western countries. The campaign is driven by both financial and ideological motives linked to Iranian interests.

Who is behind these attacks?

The attacks are attributed to an Iranian-backed group known as Pay2Key, now operating as Pay2Key.I2P. They have connections to the Fox Kitten APT group and have reused tools from the Mimic ransomware family.

What are the goals of these attacks?

The attackers aim to collect ransom payments while also promoting political and ideological messages aligned with Iran’s interests. They encourage attacks against perceived enemies of Iran and reward affiliates accordingly.

How big is this threat?

In just four months, the group has earned over $4 million from more than 50 successful attacks, indicating a well-organized and impactful operation.

Who is being targeted?

The campaign focuses on Western entities. The ransomware now also includes versions that target Linux systems, suggesting a wide range of potential victims.

How do the attacks work?

Victims receive a disguised file that silently disables antivirus protections and runs malicious scripts, eventually encrypting files and demanding a ransom. The attackers use advanced techniques to avoid detection.

Why are these targets appealing to the attackers?

Western organizations are seen both as profitable and politically symbolic targets. The attackers view these operations as part of a broader cyber warfare campaign.

What should organizations do to protect themselves?

They should review and harden endpoint defenses, monitor systems for unusual activity, patch vulnerabilities, and maintain secure backups. Awareness and preparation are key.

Is this a widespread issue or a targeted one?

While the campaign is ideologically driven, the use of ransomware-as-a-service means it could affect a wide range of victims indiscriminately, especially those with weak defenses.

Threats Feed|Fox Kitten|Last Updated 16/07/2025|AuthorCertfa Radar|Publish Date08/07/2025

Fox Kitten-Linked Ransomware Operation Hits $4M in Geopolitical Cyber Campaign

Actor Motivations: Extortion,Financial Gain,Other
Attack Vectors: Ransomware
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

Since February 2025, the Iranian-aligned Pay2Key.I2P ransomware-as-a-service (RaaS) operation—linked to Fox Kitten APT and Mimic ransomware—has launched ideologically driven attacks against Western targets. With a strong presence on Russian and Chinese darknet forums, the group markets an advanced ransomware builder with capabilities for both Windows and Linux. The payloads use advanced evasion techniques, including dual CMD/PowerShell scripts, Themida packing, and AV bypass tools like “NoDefender.” Over $4 million in ransom payments and 51 successful attacks were recorded in four months. Targets are not specified by country or sector, but the campaign’s rhetoric and infrastructure indicate a focus on geopolitical adversaries of Iran.

Reference and Credit: Morphisec - July 2025

Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West

Detected Targets

Type	Description	Confidence
Region	Israel	High
Region	United States	High

Extracted IOCs

gos-usa[.]xyz
17fc4df8ef9a92c972684cba707c3976b91bcd7f0251f42f1b63e4de0e688d6c
188c215fa32a445d7ffa90dc51c58bddcd62a714a8f6eac89b92574c349bf901
1c3f2530b2764754045039066d2c277dff4efabd4f15f2944e30b10e82f443c0
1c70d4280835f18654422cec1b209eec856f90344b8f02afca82716555346a55
1d0ec8e34703a7589533462be62c020004cfe0f7b20204f9e6c79b84cbfafc9b
242fa471582c2f37c17717dc260cb108584c44e86b8831382f7b2f5fc63aeb6b
2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
39d3ba87a27eae69a01666b0ecbb8c60259be4b3decf4cdd1d950c98c6c0b08c
3ba64d08edbfadec8e301673df8b36f9f7475c83587930fc9577ea366ec06839
60ec008c8515934c3c8d89f84bbcc8fac9144e642c0143d8230f465f4e66f62c
65be56f46b2aa6bb64b9e560a083a77a80a1b5a459bcba8d385aa62f8e7b153f
6f0b01ceb4e2cfbdfe8b92729f18eb7f4953bf9859085dc3ac81983274065d6c
7336b865f232f7fccb9b85524d5ebdc444344de363f77e1b1c3eaeeb3428e1a5
791bb67fe91e9bd129607a94714e9e79afe304271d839b369aab8813d2da4ac1
89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
9c06ea83553c6dab3d831e1046cee237a9c1b1ed79b3b2e37ed9f3c8a38643eb
a05c18e81911608cf2edb19907092d542548abb695e48e3217dfbec2f3dfcd04
a8bfa1389c49836264cfa31fc4410b88897a78d9c2152729d28eca8c12171b9e
b64305852ddb317b7839b39db602fcdda60e7658f391ff4ba52fce4dbca89089
bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e
d61a55d368a1dcf570f633c7a23ae12361749c2d7000178dd9e353528c325907
d8e423c8644b686ad3376f38f3e4df55a152ee4cac2af3079651263f002d8c26
e237cf378e2848f687a494ab67faf9e7ec784d00090cd598a9f1e3291c97181f
f947771556e0a0d900b21de6a37abd04c1d2e0e84d0062f61c49d792ffedeec5
fb653fd840b0399cea31986b49b5ceadd28fb739dd2403a8bb05051eea5e5bbc

download

Tip: 26 related IOCs (0 IP, 1 domain, 0 URL, 0 email, 25 file hash) to this threat have been found.

FAQs

Understanding the Pay2Key.I2P Ransomware Threat

: A new wave of ransomware attacks has emerged under the name Pay2Key.I2P, targeting organizations in Western countries. The campaign is driven by both financial and ideological motives linked to Iranian interests.
: The attacks are attributed to an Iranian-backed group known as Pay2Key, now operating as Pay2Key.I2P. They have connections to the Fox Kitten APT group and have reused tools from the Mimic ransomware family.
: The attackers aim to collect ransom payments while also promoting political and ideological messages aligned with Iran’s interests. They encourage attacks against perceived enemies of Iran and reward affiliates accordingly.
: In just four months, the group has earned over $4 million from more than 50 successful attacks, indicating a well-organized and impactful operation.
: The campaign focuses on Western entities. The ransomware now also includes versions that target Linux systems, suggesting a wide range of potential victims.
: Victims receive a disguised file that silently disables antivirus protections and runs malicious scripts, eventually encrypting files and demanding a ransom. The attackers use advanced techniques to avoid detection.
: Western organizations are seen both as profitable and politically symbolic targets. The attackers view these operations as part of a broader cyber warfare campaign.
: They should review and harden endpoint defenses, monitor systems for unusual activity, patch vulnerabilities, and maintain secure backups. Awareness and preparation are key.
: While the campaign is ideologically driven, the use of ransomware-as-a-service means it could affect a wide range of victims indiscriminately, especially those with weak defenses.

About Affiliation

Fox Kitten