SECURITY experts have warned that an Iranian ransomware group has returned with enhanced evasion, execution and anti-forensics capabilities, in a story dated 26 March 2026. Previously linked to Tehran and usually targeting victims aligned with the regime’s interests, Pay2Key has been active since 2020, with the Halcyon report noting that recent US-Iran tensions appear to have accelerated activity from the group. Since July 2025, the group has received more than $8m in ransom payments linked to 170 victims, suggesting ongoing operation as an Iranian-linked actor.
The attack described involved harvesting credentials and using TeamViewer for interactive access, then pivoting across systems with Mimikatz, LaZagne and ExtPassword, before ransomware deployment via a self-extracting 7zip archive (abc[.]exe) and encryption of the entire infrastructure in three hours, alongside a No Defender evasion toolkit that was later removed to hide tracks.
There was no evidence of data exfiltration, which the report authors claimed could be due to targeted destruction of evidence by the group. Defenders are urged to treat Pay2Key as an active, unpredictable threat with tactics and objectives warranting ongoing monitoring and proactive intelligence sharing across the security community.