Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
Jul 11, 2025
Cyber Warfare / Cybercrime
An Iranian-backed ransomware-as-a-service (RaaS) named Pay2Key has resurfaced in the wake of the Israel-Iran-U.S. conflict last month, offering bigger payouts to cybercriminals who launch attacks against Israel and the U.S. The financially motivated scheme, now operating under the moniker Pay2Key.I2P, is assessed to be linked to a hacking group tracked as Fox Kitten (aka Lemon Sandstorm). "Linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware, [...] Pay2Key.I2P appears to partner with or incorporate Mimic's capabilities," Morphisec security researcher Ilia Kulmin said . "Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment." Last year, the U.S. government revealed the advanced persistent threat's (APT) modus operandi of carrying out ransomware attacks by covertly partnering wi...
