Webinar
February 26
Better SOC with Interactive Sandbox
Practical Use Cases
Pay2Key is a ransomware strain primarily written in C++ for Windows (with recent Linux variants), attributed to Iranian-linked actors, notably the Fox Kitten APT group (also known as UNC757 or related operations). First observed in late 2020, it employs double-extortion tactics (encrypting files and threatening to leak stolen data) while showing signs of both financial and state-aligned motivations. It has resurfaced in campaigns targeting Western organizations, including rapid encryption attacks on healthcare.
|
Ransomware
Type
:
|
Unknown
Origin
:
|
|
1 October, 2020
First seen
:
|
7 July, 2026
Last seen
:
|
|
Type
:
|
Unknown
Origin
:
|
|
1 October, 2020
First seen
:
|
7 July, 2026
Last seen
:
|
Pay2Key is a targeted ransomware family that combines encryption with credential theft, lateral movement, and data exfiltration.
The malware has been linked by multiple researchers to Iranian threat activity targeting organizations rather than individual users.
Attackers commonly gain initial access using compromised VPN accounts, exposed remote services, or stolen enterprise credentials.
Enterprise-wide compromise often occurs long before ransomware deployment through reconnaissance and privilege escalation.
Strong identity protection, network segmentation, MFA, and tested offline backups significantly reduce ransomware risk.
Continuous monitoring for credential abuse and lateral movement can reveal Pay2Key activity before encryption begins.
ANY.RUN Threat Intelligence Lookup and Threat Intelligence Feeds help security teams proactively identify Pay2Key infrastructure, detect related indicators of compromise, enrich SIEM and EDR telemetry, and stop attacks during the early stages of intrusion.
Pay2Key sample analyses in ANY.RUN Sandbox found via TI Lookup
Pay2Key is a ransomware family that emerged in late 2020 and quickly gained attention for targeting Israeli organizations and businesses through carefully planned intrusions. Unlike commodity ransomware, Pay2Key operators combined ransomware deployment with credential theft, lateral movement, and data exfiltration, allowing them to maximize operational disruption and extortion pressure. The malware has also been linked by multiple security researchers to Iranian state-sponsored threat activity, making it notable as an example of financially motivated attacks overlapping with geopolitical objectives.
It encrypts files on compromised systems using strong cryptographic algorithms before demanding cryptocurrency payments in exchange for a decryption key.
While its technical capabilities resemble those of many enterprise ransomware families, Pay2Key distinguished itself through its operational approach. Rather than relying solely on automated infections, its operators typically gained privileged access to corporate networks, moved laterally across environments, harvested credentials, and selectively deployed ransomware where it would cause the greatest disruption.
Several cybersecurity vendors have assessed with moderate to high confidence that the Pay2Key campaign was operated by an Iranian threat group commonly tracked as Fox Kitten (UNC757/APT35-associated infrastructure), although the ransomware itself appeared to pursue financial extortion alongside broader strategic objectives.
The malware often formed the final stage of a larger intrusion involving:
This multi-stage approach makes Pay2Key significantly more dangerous than opportunistic ransomware that simply encrypts a single endpoint.
View Pay2Key sample analysis in ANY.RUN Sandbox
Pay2Key attack exposed in Interactive Sandbox
Pay2Key's dual identity — cybercriminal RaaS and state-aligned disruption tool — makes it a broader risk than a typical for-profit ransomware family:
Pay2Key's targeting has evolved alongside its operators' goals, but several patterns stand out:
June–October 2020 – Fox Kitten operators register infrastructure and compile the first Pay2Key samples; ransom notes demand relatively modest sums of 7–9 BTC (roughly $110K–$140K at the time).
Late 2020 – Wave of attacks against Israeli companies, largely via compromised RDP access following earlier VPN exploitation. Victim data is leaked on a Tor-hosted site, publicly tagging victims and media outlets — behavior researchers characterized as psychological/information warfare rather than pure extortion.
2021–2024 – Fox Kitten continues broad VPN-exploitation campaigns (Pulse Secure, Citrix, F5, Fortinet, Palo Alto) across government, defense, and energy sectors; a 2024 joint CISA/FBI advisory describes the group brokering network access to ransomware crews including NoEscape, RansomHouse, and BlackCat/ALPHV.
February 2025 – Relaunch as Pay2Key.I2P on a Russian-language underground forum, offering a flat $20,000 payout per successful attack and, later, an affiliate profit share increased to 80% for attacks supporting Iranian interests.
June 2025 – Release of a Linux-compatible encryptor, extending the malware from endpoints to servers, virtualization platforms, and cloud infrastructure.
Mid-2025 – Operators claim over 50 successful ransom payments and more than $4 million collected in four months, with individual affiliates reportedly earning up to $100,000.
Late 2025 – Pay2Key's operation is listed for sale on dark web forums and the group's own account; the sale process concludes without clear public resolution.
February 2026 – Confirmed intrusion at a U.S. healthcare organization, analyzed jointly by Beazley Security and Halcyon, showing a more evasive, forensically aware variant with no observed data exfiltration — a break from the group's earlier double-extortion pattern.
Consistent with Fox Kitten's long-standing tradecraft, Pay2Key rarely relies on phishing as its primary entry point. Instead:
1. Initial access via public-facing infrastructure. Operators scan the internet — reportedly using Shodan — for unpatched, internet-facing VPN and networking appliances, historically including Citrix NetScaler/ADC (CVE-2019-19781, CVE-2023-3519), Pulse Secure/Ivanti Connect Secure (CVE-2019-11510, CVE-2024-21887), F5 BIG-IP (CVE-2020-5902, CVE-2022-1388), Fortinet FortiOS (CVE-2018-13379), Palo Alto GlobalProtect (CVE-2024-3400), and Check Point Security Gateways (CVE-2024-24919).
2. Credential and webshell foothold. After exploitation, operators plant webshells, harvest credentials, and create discreetly named local or domain accounts (e.g., disguised as service accounts) to blend into legitimate administrative activity.
3. Internal pivoting. Exposed or brute-forced RDP is used as a secondary access route and as the primary mechanism for moving laterally across the network once inside.
4. Command-and-control and tunneling. The group routes traffic through reverse proxy tools such as FRPC and ReverseSocks5 to funnel activity through a single internet-connected pivot host, minimizing its external footprint; the newer Pay2Key.I2P infrastructure adds I2P-based anonymized C2 to the mix.
5. Rapid deployment. Once positioned, operators have historically distributed the ransomware payload across an entire compromised network within about an hour, using native tools like PsExec and PowerShell rather than custom deployment infrastructure — which helps the activity blend into normal admin traffic until encryption begins.
Upon execution (often as Cobalt.Client.exe), it reads a config file, generates RSA keys, and communicates with C2 (via proxy). It receives a dynamic configuration (target extensions, ransom note customized per victim, .pay2key or similar extension).
The malware discovers systems, stops interfering services (e.g., MS SQL), encrypts files (full/partial modes in Linux with ChaCha20; RSA+AES in Windows), and drops customized ransom notes. It includes self-cleanup, persistence mechanisms, and system info gathering. Linux builds require root, disable protections, and target mounts/backups.
View the attack chain in ANY.RUN Interactive Sandbox:
Pay2Key sample detonated in Interactive Sandbox
Pay2Key ransomware extracts several component files into the temporary directory, including data.bin and a command script named setup.cmd, which is later executed by Command Prompt.

Pay2Key components and processes
The setup.cmd script contains the following logic:
The script first determines whether the system is running under WOW64 and launches the appropriate PowerShell executable. It then removes previously extracted files, checks for the presence of additional payload components, and extracts multiple password-protected archives using 7za.exe. During execution, it reconstructs the 7-Zip executable from an embedded payload and uses it to unpack the remaining components.
If data2.bin is present, the script extracts files into the Avast installation directory (C:\Program Files\Avast Software\Avast) and executes additional utilities from there.
Malicious script behavior
If data4.bin exists, it extracts and executes task.ps1, which performs additional malicious actions. The script then extracts data3.bin and launches sfx-i386-amd64.exe, waiting for its execution to complete before continuing.
The PowerShell code embedded in the script also contains a custom XOR-based decoding routine used to decrypt embedded payloads stored in files such as data.bin, data1.bin, and data5.bin. The decoded payloads are executed directly in memory, while data1.bin is decoded and written to disk as 7za.exe.
Pay2Key decoded payload
After extracting and launching all required components, the ransomware executes Everything.exe, which is used to rapidly enumerate files across the system before encryption.
Pay2Key mutex
Before encrypting files, the malware performs several defense evasion actions. It suspends BitLocker protection using:
powershell.exe -ExecutionPolicy Bypass "Get-BitLockerVolume | Suspend-BitLocker"
It also disables hibernation using:
powercfg.exe -H off
Additionally, the ransomware uses delayed execution through the following command:
Pay2Key delayed execution command
This introduces a short delay before disabling security software and removing the extracted Avast directory.
Finally, the ransomware encrypts victim files by appending the .randomchars_p2key extension and drops the ransom note as:
C:\temp\HowToRestoreFiles.txt
Pay2Key ransom note
…instead of placing it in the standard Windows temporary directory.
Because Pay2Key's initial access almost always runs through exploited edge infrastructure rather than user-clicked payloads, defense has to start before the encryptor ever executes — and that means having visibility into the exploitation and staging activity, not just the ransomware binary.
ANY.RUN's Threat Intelligence Lookup gives SOC and DFIR teams a way to move from an isolated indicator to full attack context in seconds. If your team spots a suspicious IP, file hash, mutex, or command line potentially tied to Fox Kitten or Pay2Key activity, TI Lookup lets you search across dozens of event parameters — file paths, registry keys, network indicators, YARA rules — and pivot directly into the underlying interactive sandbox sessions where those indicators appeared.
That's especially valuable for a threat actor like Fox Kitten, whose tooling (webshells, proxy utilities, PsExec-based lateral movement) is often reused across intrusions; a single confirmed indicator can surface related infrastructure and TTPs from other victims' sessions before your own incident escalates.
ANY.RUN's Threat Intelligence Feeds take the opposite but complementary approach: instead of searching reactively, they push a continuously updated stream of malicious IPs, domains, and URLs — sourced from millions of real-world sandbox detonations — directly into your SIEM, firewall, or SOAR. For a group that rotates C2 infrastructure and proxy pivots as often as Fox Kitten does, fresh, low-false-positive feeds help block newly stood-up infrastructure before it's used against you, rather than relying solely on signatures for the ransomware binary itself.
Used together, TI Feeds shrink the window of exposure to known-bad infrastructure automatically, while TI Lookup gives analysts the investigative depth to confirm, scope, and hunt for related activity once something suspicious surfaces.
Beyond threat intelligence, organizations should treat these as baseline controls against Pay2Key specifically:
Pay2Key demonstrates that modern ransomware attacks are rarely isolated encryption events. Instead, they are the culmination of carefully orchestrated intrusions involving stolen credentials, reconnaissance, lateral movement, and data theft.
Although Pay2Key itself has remained relatively limited in scale compared to larger ransomware families, the tactics employed by its operators mirror those used by today's most sophisticated ransomware groups. Organizations that focus only on detecting file encryption risk missing the earlier stages where attackers are far easier to stop.
By combining proactive threat intelligence, continuous monitoring, strong identity security, and layered defenses, businesses can identify Pay2Key-related activity before it escalates into a costly ransomware incident.
Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.