Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

Pay2Key

Pay2Key is an Iran-linked ransomware family and ransomware-as-a-service operation first observed in 2020 and repeatedly described as aligned with Iranian state interests, with reported ties to Fox Kitten/Pioneer Kitten and links to disruptive campaigns against Israeli, U.S., and other regional targets. Reporting in the provided content associates it with attacks on organizations in Israel, the United States, Azerbaijan, the United Arab Emirates, and Russia, including a late-February 2026 intrusion against a U.S. healthcare organization. It has also been described as targeting organizational servers, virtualization hosts, and cloud workloads via a Linux variant.

Its core capability is file encryption for extortion using strong cryptography. The content states Pay2Key can encrypt victim data using RSA and AES, while more recent technical analysis of a 2026 build describes a Mimic-based encryptor using per-file ChaCha20 keys protected with Curve25519/X25519 key exchange. The malware has been reported as based on Mimic, itself derived from the leaked Conti builder. In one observed incident it appended the .ywgulm_p2k extension and dropped ransom notes in Russian, English, and Spanish. A January 2026 sample used the internal name "payfast," while a February 2026 healthcare variant reportedly used the internal name "Cobalt."

The malware and its operators show significant emphasis on evasion, anti-forensics, and operational resilience. Multiple reports state Pay2Key has enhanced evasion, execution, and anti-forensics capabilities. Observed behavior includes clearing activity and event logs, self-deletion, and overwriting its own executable with zeros via fsutil before deleting it. In the February 2026 healthcare intrusion, operators reportedly disabled Microsoft Defender by falsely indicating a third-party antivirus product was active, inhibited recovery, and removed tooling after use. Technical analysis also notes use of the Windows Restart Manager API to unlock files, termination of numerous services and processes before encryption, and packaging in self-extracting 7z archives consistent with prior campaigns.

The content describes several intrusion and deployment patterns. In the 2026 healthcare case, attackers reportedly compromised an administrative account, remained in the environment for days, used TeamViewer for interactive access, harvested credentials with Mimikatz, LaZagne, and ExtPassword, enumerated hosts with Advanced IP Scanner and NetScan, interacted with Active Directory via dsa.msc, and then deployed the ransomware through a self-extracting archive named abc.exe. Separate reporting on Fluffy Wolf campaigns in Russia states Pay2Key was delivered through phishing emails themed as debts, reconciliation statements, or legal claims, using malicious RAR archives or GitHub-hosted downloads, alongside loaders such as PowerLoader and PureCrypter.

Pay2Key also includes command-and-control and pivoting functionality in the provided content. It has used RSA-encrypted communications with C2, sent its public key to the C2 server over TCP, and designated compromised machines as reverse-proxy pivot points to channel communications with C2.

A Linux variant, Pay2Key.I2, was first detected in the wild in late August 2025. It targets Linux infrastructure including servers, virtualization hosts, and cloud workloads; requires root privileges; disables SELinux and AppArmor; kills services and processes; enumerates mounted filesystems via /proc/mounts; persists via a cron entry to resume after reboot; and uses ChaCha20 encryption with obfuscated per-file metadata. The content also notes a hardcoded string, "DontDecompileMePlease," used in metadata handling.

Known high-confidence artifacts and indicators mentioned in the content include the ransom note path C:\temp\Decrypt_files.txt, the session key file C:\temp\session.tmp, the contact address ueli.maurer@onionmail.org, and hashes associated with a January 2026 build and its components: encryptor SHA256 2ae80e5bff8fc9055ce7dc60e59447cba6e6c3a215eea1b6de7d9cb5ae26f9e8, SFX loader SHA256 5e1ba287113770184fb51f0faed1a851d5066fa263a67a463da17601de82cb5a, encrypted payload SHA256 c45b87fff769379ebb9f4708438e208ee134692a2392a987205bfe900cceacb1, DC.exe SHA256 c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e, and xdel.exe SHA256 e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Fluffy Wolf

When deploying the Pay2Key ransomware, the attackers employ heavy anti-forensic techniques to cover their tracks.

via security online infosecurityonline.info
n3tw0rm

Early May 2021 saw another set of disruptive ransomware attacks attributed to Iran targeting Israel from the n3tw0rm ransomware group, a newly-identified threat actor with links to the 2020 Pay2Key attacks.

via sentinelone labssentinelone.com
Fox Kitten

The disclosure comes as a U.S. healthcare organization was targeted in late February 2026 by Pay2Key, an Iranian ransomware gang with ties to the country's government. The ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

25 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques
T1078Valid AccountsEvidence2

Halcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...

T1566PhishingEvidence1

Security researchers have uncovered a series of highly sophisticated Fluffy Wolf phishing attacks targeting Russian organizations across various critical sectors.

T1566.001Spearphishing AttachmentEvidence1

К посланиям прилагались «акты сверки», «претензии» и другие документы, которые на деле оказывались архивами с малварью. Иногда вложение прикреплялось напрямую...

T1566.002Spearphishing LinkEvidence1

...а в других случаях жертве предоставляли ссылку на GitHub-репозиторий, откуда загружался RAR-архив. По словам исследователей, Fluffy Wolf активно использует GitHub, потому что такие ссылки выглядят легитимно и помогают обходить почтовые фильтры...

Persistence

2 techniques
T1078Valid AccountsEvidence2

Halcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...

T1112Modify RegistryEvidence1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions Registry Terminal Server persistence HKLM\system\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser Registry Terminal Server persistence

Privilege Escalation

2 techniques
T1055Process InjectionEvidence1

To remain hidden, the threat actors inject these payloads into trusted Windows processes such as RegAsm.exe, InstallUtil.exe, and MSBuild.exe.

T1078Valid AccountsEvidence2

Halcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...

Stealth

4 techniques
T1055Process InjectionEvidence1

To remain hidden, the threat actors inject these payloads into trusted Windows processes such as RegAsm.exe, InstallUtil.exe, and MSBuild.exe.

T1070.004File DeletionEvidence9

For example, the ransomware uses the Windows fsutil command to overwrite its own executable file with zeros before completely deleting it.

T1078Valid AccountsEvidence2

Halcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...

T1140Deobfuscate/Decode Files or InformationEvidence1

Defense evasion has remained a critical phase, where threat actors employ multiple obfuscation techniques (T1140)

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions Registry Terminal Server persistence HKLM\system\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser Registry Terminal Server persistence

Credential Access

1 technique
T1003OS Credential DumpingEvidence1

...TeamViewer for access, credential harvesting with Mimikatz and LaZagne...

Discovery

5 techniques
T1007System Service DiscoveryEvidence1

The lineage is visible in the service and process kill lists. The encryptor terminates 60+ services and 40+ processes before encryption...

T1016System Network Configuration DiscoveryEvidence4

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

T1057Process DiscoveryEvidence1

The lineage is visible in the service and process kill lists. The encryptor terminates 60+ services and 40+ processes before encryption...

T1082System Information DiscoveryEvidence5

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

T1083File and Directory DiscoveryEvidence1

The encryptor builds on Mimic ransomware, a Conti derivative that uses voidtools Everything for filesystem enumeration.

Collection

1 technique
T1560Archive Collected DataEvidence1

...and a self-extracting 7z archive that deployed the encryptor.

Command and Control

6 techniques
T1090.001Internal ProxyEvidence1
T1095Non-Application Layer ProtocolEvidence1
T1105Ingress Tool TransferEvidence1

Once PowerLoader infiltrates a target host, it spawns hidden PowerShell instances to retrieve additional malicious scripts directly from the command-and-control (C2) server. These scripts systematically deploy the final payloads...

T1219Remote Access ToolsEvidence1

Halcyon and Beazley Security published a joint report detailing the attack chain: compromised admin credentials, a week of dormancy, TeamViewer for access...

T1573Encrypted ChannelEvidence1

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

T1573.002Asymmetric CryptographyEvidence1

Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2"). | Examples include: "encrypts some C2 with RSA", "RSA encryption for C2 communications", "hard-coded RSA public key", "RSA-2048", "RSA-4096", and "REvil has encrypted C2 communications with the ECIES algorithm".

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence1

"...it achieved some notoriety for hack-and-leak attacks on Israeli organizations."

Impact

2 techniques
T1486Data Encrypted for ImpactEvidence10

В одном из изученных инцидентов атакующие также развернули в системе жертвы шифровальщик Pay2Key, основанный на вымогателе Mimic. Вредонос шифровал файлы, добавляя к ним расширение .ywgulm_p2k...

T1489Service StopEvidence1

The encryptor terminates 60+ services and 40+ processes before encryption, including: Services: AcronisAgent, BackupExecJobEngine, CAARCUpdateSvc... | The encryptor terminates 60+ services and 40+ processes before encryption, including... Processes: sqlservr, sqlagent, msaccess, mysqld, oracle, python, node, java, Raccine, Sysmon...

Other

1 technique
T1562Impair DefensesEvidence1

This is an older build from the same RaaS platform, sharing the same toolchain, SFX delivery structure, and NoDefender AV evasion kit documented in the Halcyon report.

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
14 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app3 months ago
hash.sha256●●●●●●●●●●●●View more in app3 months ago
hash.sha256●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app
security online infoNews
Jun 16, 2026
Fluffy Wolf Phishing Attacks Push PowerLoader Malware

Ransomware used by Fluffy Wolf for financial extortion; it uses anti-forensic behavior including overwriting its own executable with zeros via fsutil before deleting it.

Read more
xakepNews
May 28, 2026
Группировка Fluffy Wolf атаковала российские компании новой малварью - Хакер

Шифровальщик, развернутый в системе жертвы; шифрует файлы, добавляя расширение .ywgulm_p2k, и оставляет записку с требованием выкупа на русском, английском и испанском языках.

Read more
the record mediaNews
May 7, 2026
Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News

Iran-linked ransomware used against a U.S. healthcare organization.

Read more
polyswarmNews
May 4, 2026
Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Iran-linked ransomware used for disruptive and strategic operations, including against a US healthcare provider.

Read more
+23 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping25

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.