← All stories

Infosecurity Magazine

Iran-Linked Pay2Key Ransomware Group Re-Emerges

2026-03-26 · Read original ↗

ATT&CK techniques detected

6 predictions

T1078Valid Accounts

86%

“iran - linked pay2key ransomware group re - emerges security experts have warned that an iranian ransomware group has returned with enhanced evasion, execution and anti - forensics capabilities. previously linked to tehran and usually targeting victims aligned with the regime ’ s…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

63%

“to find hosts and validate credentials, the report explained. “ the threat actors used harvested credentials to pivot across systems, and interacted with active directory via dsa. msc, the built - in ad ‘ users and computers ’ console. we believe this was to prevent tooling from …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

54%

“iran - linked pay2key ransomware group re - emerges security experts have warned that an iranian ransomware group has returned with enhanced evasion, execution and anti - forensics capabilities. previously linked to tehran and usually targeting victims aligned with the regime ’ s…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003OS Credential Dumping

45%

“to find hosts and validate credentials, the report explained. “ the threat actors used harvested credentials to pivot across systems, and interacted with active directory via dsa. msc, the built - in ad ‘ users and computers ’ console. we believe this was to prevent tooling from …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1588.001Malware

39%

“iran - linked pay2key ransomware group re - emerges security experts have warned that an iranian ransomware group has returned with enhanced evasion, execution and anti - forensics capabilities. previously linked to tehran and usually targeting victims aligned with the regime ’ s…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003OS Credential Dumping

36%

“iran - linked pay2key ransomware group re - emerges security experts have warned that an iranian ransomware group has returned with enhanced evasion, execution and anti - forensics capabilities. previously linked to tehran and usually targeting victims aligned with the regime ’ s…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Halcyon and Beazley Security track the return of Iranian ransomware group Pay2Key