State-aligned actors in Iran are establishing partnerships with participants including Russian threat actor forums and blur the boundaries between state-directed and financially motivated cyber operations. This operational shift supports their broader geopolitical objectives in the ongoing conflict involving the US and Israel.
As part of these developments, an Iranian state-backed operation known as Pay2Key has resurfaced. According to a recent report from KELA's Cyber Intelligence Center, the group is actively recruiting affiliates to target high-impact entities in the US. The methodology involves deploying "pseudo-ransomware" and operating as an initial access broker (IAB) for other ransomware groups to help disruption and financial gain.
KELA researchers note that pseudo-ransomware relies on encryption but serves primarily as a destructive tool, functioning similarly to wiper malware rather than a mechanism for standard financial extortion.
These shifts reflect a broader strategy to adopt established cybercrime methodologies following the joint US-Israel military action on February 28. KELA's analysis indicates that these operations create significant business disruption while introducing complex attribution challenges, leading to elevated legal and operational risks for affected organizations.
When an organization experiences a ransomware or extortion event, determining the identity of the threat actor becomes a critical compliance requirement. If ransom payments are inadvertently routed to state-linked entities, such as those sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC)—organizations face the risk of severe financial and legal penalties.
Evaluating historical and current methodologies
The recent increase in Pay2Key activity parallels events from last July, following a conflict where the US and Israel targeted Iranian nuclear facilities. During that period, Pay2Key operations resumed with a focus on Western organizations, offering increased financial incentives for operations aligning with Iran’s geopolitical goals.
Currently, operators are utilizing a similar profit-sharing model. Pay2Key affiliates recruited online receive an increased share, including 70% up to 80%—when they successfully gain unauthorized access to networks belonging and designated geopolitical adversaries, primarily within the US and Israel. KELA describes this incentive structure as a method of outsourcing geopolitical operations to a broader pool of threat actors, acting as a scalable force multiplier for state-aligned activities.
Simultaneously, state-aligned groups are deploying destructive tools under the guise of financial extortion. By using ransomware-style encryption, these actors obscure data destruction, sabotage, or political retribution. For example, the Iran-backed group APT Agrius uses the Apostle malware, which researchers observed was retrofitted from its original data wiper format into a ransomware variant. Applying financial extortion frameworks over destructive wipers allows these actors to obscure their primary motives and complicates incident response efforts.
Adapting defenses for hybrid threats
The deliberate blending of state-sponsored operations and opportunistic financial extortion means that defenders must simultaneously manage operational, financial, and geopolitical risks. Navigating this environment requires organizations to implement foundational resilience measures alongside proactive controls.
To protect organizational infrastructure against these evolving tactics, we recommend the following defensive actions:
Apply security patches and continuously monitor internet-facing edge devices for unauthorized access.
Deploy phishing-resistant multi-factor authentication (MFA) across the environment.
Maintain secure, offline backups and regularly test incident response readiness.
Additionally, we advise organizations to properly segment IT and operational technology (OT) systems while hardening access controls. This structural separation reduces the risk of lateral movement by state-backed threat actors. Maintaining continuous threat intelligence monitoring will also improve an organization's visibility into adversary infrastructure and the compromised credential market, enabling faster identification of potential risks.
Context Note: The original reporting for this intelligence was provided by Elizabeth Montalbano, a contributing writer with over 25 years of professional experience covering technology, business, and culture.