Pay2Key is a ransomware-as-a-service (RaaS).Following the Israel-Iran-US conflict, I2P has reappeared. The financially motivated scheme is believed to be connected to a hacking group known as Fox Kitten (also known as Lemon Sandstorm), and it is currently operating under the Pay2 key. Iranian threat actors have been using Pay2key since October

2020.

These attacks target Israeli companies by taking advantage of known security flaws. The ransomware builder's ability to target Linux systems as of June 2025 suggests that the threat actors are actively enhancing the functionality of the locker. In contrast, the Windows equivalent is supplied as a self-extracting (SFX) archive containing a Windows executable.

Additionally, it uses a number of evasion strategies that enable it to operate without interference by turning off Microsoft Defender Antivirus. Between May and June 2025, the company identified 28 cyberattacks associated with Iranian threat actors. The company released a statement on Monday saying, "Companies in the U.S.

and abroad are urged to be vigilant and review their security posture." An Iranian threat actor was responsible for the attacks. According to the company, businesses in the US, Europe, and Asia were the targets of the attacks. None of the cyberattacks were connected to the Iranian government.

It claimed to have discovered the attacks because, among other reasons, they were connected to Iran's "malign activities" in the Middle East and North Africa. The cyberattacks targeted businesses in the UK, France, Germany, Italy, and Spain, among other countries. The businesses claimed that Iran's influence in the area was the reason they found them.

They claimed that they also sought to sabotage Iran's political and economic systems.