Iranian Pay2Key Group Leverages PowerShell to Evade Windows Defender and Encrypt Systems

A sophisticated Iranian-backed ransomware operation has emerged as a significant threat to Western organizations, utilizing advanced PowerShell techniques to bypass Windows security systems.

Pay2Key.I2P, linked to the notorious Fox Kitten APT group, has rapidly expanded since its February 2025 debut, collecting over $4 million in ransom payments within just four months of operation.

Advanced Evasion Through Dual-Format Scripts

The Pay2Key.I2P ransomware employs a particularly sophisticated delivery mechanism centered around a dual-interpretable script that functions as both a CMD batch file and a PowerShell script simultaneously.

This technical innovation allows the malware to execute initial setup commands through CMD before seamlessly transitioning to PowerShell for advanced evasion techniques.

The attack chain begins with a 7-Zip Self-Extracting archive containing an obfuscated setup.cmd script. When executed, the script performs XOR decryption using a rolling key mechanism to decode embedded PowerShell payloads.

The decoded payload immediately creates a critical Windows Defender exclusion for all executable files using the command Add-MpPreference -ExclusionExtension ".exe", effectively creating a blind spot for the entire infection chain without triggering Microsoft’s anti-tampering mechanisms.

The malware further enhances its stealth capabilities by extracting and executing NoDefender, a tool disguised as the legitimate Windows component “powrprof.exe.”

This component performs registry and policy tampering to altogether disable Microsoft Defender, creating a second layer of antivirus bypass protection.

Commercial-Grade Protection and Geopolitical Motivations

What sets Pay2Key.I2P apart from typical ransomware operations is its use of Themida, a commercial-grade software protector rarely seen in commodity malware due to its high cost.

This protection makes reverse engineering and analysis extremely difficult, demonstrating the group’s substantial financial resources and technical sophistication.

The ransomware-as-a-service operation explicitly targets supporters of Iranian geopolitical objectives, offering an increased 80% profit share to affiliates engaged in attacks against “enemies of Iran.”

This ideological component distinguishes the campaign from purely profit-driven cybercrime, positioning it as a tool of state-sponsored cyber warfare.

Recent updates to the platform include Linux-targeting capabilities and enhanced anti-analysis features, such as registry checks to detect sandbox environments.

The group has demonstrated remarkable success with over 51 successful ransom payouts, with individual operators reportedly earning up to $100,000 in profits.

The operation’s strategic marketing across Russian and Chinese darknet forums, combined with a coordinated presence on social media platforms since January 2025, indicates careful planning and a professional approach to recruitment and operations.

This level of organization, coupled with the group’s technical capabilities and geopolitical motivations, represents a significant evolution in the ransomware threat landscape targeting Western infrastructure.

Indicators of Compromise (IOCs)