Security experts have warned that an Iranian ransomware group has returned with enhanced evasion, execution and anti-forensics capabilities.
Previously linked to Tehran and usually targeting victims aligned with the regime’s interests, Pay2Key has been active since 2020.
However, a new report from Halcyon and Beazley Security warned that “recent US-Iran tensions appear to have accelerated activity from the group.”
The report dissected a new attack on a US healthcare provider which appeared to show an evolving set of TTPs.
Read more on Pay2Key: Suspected Iranian Ransomware Group Targets Israeli Firms
It’s unclear whether the group bought access from an initial access broker or performed reconnaissance on the victim itself. However, with a foothold in the network, the actors used TeamViewer to establish “interactive access” and then began harvesting passwords for lateral movement, using Mimikatz, LaZagne, and ExtPassword.
They then used “Advanced IP Scanner” and ns.exe (presumed to be NetScan) to find hosts and validate credentials, the report explained.
“The threat actors used harvested credentials to pivot across systems, and interacted with Active Directory via dsa.msc, the built-in AD ‘Users and Computers’ console. We believe this was to prevent tooling from automatically flagging the access as anomalous or suspicious,” it continued.
“We believe this was used to identify accounts to be used in concert with ransomware deployment as well as accessing an assortment of backup-related software on victim hosts. Backup systems enumerated include IBackup, Barracuda Yosemite, and Windows Server Backup.”
Ransomware execution was performed through a self-extracting 7zip archive (SFX), abc.exe, which is consistent with previous campaigns. Encryption of the entire infrastructure took just three hours.
The group also deployed a “No Defender” evasion toolkit, which it then removed to hide its tracks.
There was no evidence of data exfiltration, which the report authors claimed “could be due to targeted destruction of evidence by the group.”
Questions Over Iran Links
The attack follows a previous campaign analyzed by Morphisec that coincided with US missile strikes on Iran last year. Since July 2025, the group has received more than $8m in ransom payments linked to 170 victims.
This could indicate that Pay2key remains an Iranian-linked operation whose attacks intensify during periods of geopolitical tension involving the country – but it’s not a given.
“The group’s attempted sale of its entire operation in late 2025, combined with observed ties to Russian-speaking threat actors on criminal forums, raises unresolved questions about the current ownership, operational control and future trajectory of the group’s RaaS platform,” the Halcyon report noted.
Whatever the ownership, however, network defenders should be aware of the threat it poses, the report concluded.
“The group does not always appear to prioritize extortion and financial gain over the destruction of victim environments for strategic impact,” it said.
“Defenders should treat these findings as a clear signal that Pay2Key remains an active, unpredictable, and politically motivated threat whose tactics and objectives warrant ongoing monitoring and proactive intelligence sharing across the security community.”
