Pay2Key Ransomware Gang Resurfaces with Geopolitical Focus

The Pay2Key ransomware-as-a-Service (RaaS) gang, previously linked to the Iranian nation-state threat group Fox Kitten (UNC757), has re-emerged with a sharpened geopolitical focus and a revamped affiliate model aimed squarely at Western organizations.

According to new research, the group’s latest activity suggests it is now a more dangerous and ideological driven threat actor, particularly in light of recent Iran-Israel-US tensions.

First identified in 2020, Pay2Key gained popularity through campaigns against Israeli targets. Despite remaining relatively obscure compared to bigger ransomware names, the gang has been on the radar of US federal agencies due to its connections to Iranian state-backed operations.

Now, researchers have confirmed that Pay2Key has resurfaced with a new ransomware variant, called Pay2Key.I2P, which is targeting organizations in the west. The ransomware gang has introduced more incentives for affiliates, offering up to 80 percent of ransom payments for attacks directed at the “enemies of Iran,” including Israel and the US.

“Their focus on Western targets, coupled with rhetoric tied to Iran’s geopolitical stance, positions this campaign as a tool of cyber warfare,” the researchers wrote.

The ransomware gang has also introduced a Linux-targeted build of its ransomware, expanding its ability to attack a wider variety of IT environments. “The addition of a Linux-targeted ransomware build in June 2025 further expands their attack surface, threatening diverse systems.”

While profit-sharing models of 80% or more are not unprecedented with groups like BlackCat and DragonForce offering similar deals, researchers emphasize that Pay2Key’s ideological motivation sets them apart.

“Personal communications reveal a group driven by ideology, rewriting their tools to maximize impact,” the researchers wrote. “As geopolitical tensions fuel such threats, proactive defense is essential.”