CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Iran-linked Pay2Key operation resurfaces with pseudo-ransomware tactics and expanded affiliate network

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Iran has reactivated the state-backed Pay2Key ransomware operation, recruiting affiliates from Russian cybercrime forums to conduct pseudo-ransomware attacks against high-impact US targets as part of its ongoing geopolitical conflict with the US and Israel. The campaign blends destructive wiper malware (e.g., Apostle retrofitted as ransomware) with extortion schemes to obscure geopolitical motives, complicate attribution, and maximize disruptive and financial impact. Affiliates receive profit-sharing incentives (up to 80% payouts) for attacks aligning with Iranian state objectives, effectively outsourcing cyber retribution to the global cybercrime ecosystem.

Timeline

  1. 31.03.2026 16:31 1 articles · 4h ago

    Pay2Key re-emerges with pseudo-ransomware tactics and expanded affiliate network targeting US entities

    Iran-linked Pay2Key ransomware operation has been reactivated with recruitment of affiliates from Russian cybercrime forums to conduct pseudo-ransomware attacks. The campaign leverages destructive wiper malware (e.g., Apostle repurposed as ransomware) to disguise geopolitically motivated sabotage as financial extortion. Affiliates receive profit-sharing incentives (up to 80%) for attacks targeting US and Israeli entities, aligning with Iranian state objectives.

    Show sources
    Open in new tab

Information Snippets

  • Pay2Key, an Iranian state-backed ransomware operation, has been reactivated with recruitment of affiliates from Russian cybercriminal forums.

    First reported: 31.03.2026 16:31
    1 source, 1 article
    Show sources

  • The operation deploys pseudo-ransomware, where encryption is used to disguise destructive activities typical of wiper malware.

    First reported: 31.03.2026 16:31
    1 source, 1 article
    Show sources

  • Iranian APT Agrius has repurposed the Apostle malware—originally a data wiper—into a ransomware variant to create destructive smokescreens.

    First reported: 31.03.2026 16:31
    1 source, 1 article
    Show sources

  • Affiliates receive increased profit-sharing (70% to 80%) for attacks targeting US and Israeli entities, aligning with Iranian geopolitical goals.

    First reported: 31.03.2026 16:31
    1 source, 1 article
    Show sources

  • Iran’s cyber strategy leverages hybrid state-criminal operations to conduct punitive cyberattacks while complicating attribution and regulatory compliance for victims.

    First reported: 31.03.2026 16:31
    1 source, 1 article
    Show sources