In recent days, the United States government has expressed its unwavering support for Israel in its ongoing conflict with Iran. While the direct military engagements between these nations have notably decreased, experts warn that the situation may still be far from stable.
According to cybersecurity analysts, Iranian forces appear to be orchestrating a covert cyberwarfare campaign targeting Israel, potentially escalating tensions and creating new complexities in the conflict.
The Iranian government’s new approach, according to threat analysts at Morphisec, involves deploying a sophisticated ransomware attack against Israeli government infrastructure. The purpose of this attack is not merely to disrupt services on a superficial level, but to cause significant, lasting damage to key governmental operations.
The Iranian forces are leveraging a novel tactic called Ransomware-as-a-Service (RaaS), in which they offer ransomware tools to other malicious actors, thereby guaranteeing a substantial return on investment. In this case, Iranian operatives are reportedly claiming an 80% share of the profits generated by this cyber campaign.
At the core of this campaign is Pay2Key, a revived version of a malware-as-a-service operation. The campaign is being run by a notorious hacking group known as Fox Kitten, which has a long history of conducting high-profile cyberattacks.
Fox Kitten, an Advanced Persistent Threat (APT) group, has been responsible for a series of cyber intrusions targeting critical infrastructure. Their goal is not just to wreak havoc, but to spark broader political and economic turmoil by destabilizing key sectors of government and industry. Through these actions, Fox Kitten aims to cause financial and infrastructural damage that could create long-term chaos in the region.
In the cybersecurity community, Fox Kitten is also sometimes referred to as Lemon Sandstorm. This moniker is used to describe the group’s operations, which have often been linked to notorious ransomware variants such as Mimic Ransomware. The group has also been associated with various other cybercriminal syndicates, including BlackCat (also known as ALPHV), RansomHouse, and NoEscape, which further highlights the international and collaborative nature of their malicious operations.
According to researchers at Morphisec, the Pay2Key campaign has been remarkably lucrative. Since its resurgence in February 2025, the operation has reportedly netted $4 million in total profits, with approximately $100,000 per month funneled into the pockets of the operators who manage the ransomware service. While the financial gains are substantial, they also represent a much larger and more disturbing objective—one that involves the use of cyberwarfare as a weapon of geopolitical leverage.
The implications of these findings are significant. Within Israel’s military intelligence community, there are growing concerns that the Pay2Key campaign is part of a broader strategy aimed at retaliating against the United States for its staunch support of Israel in the conflict with Iran. By launching a cyberwarfare campaign targeting Israeli infrastructure, Iran may be seeking to undermine not only Israel’s national security but also the broader alliance between Israel and the United States.
In essence, while much of the international focus has been on the physical and military aspects of the conflict, the emergence of cyber warfare as a new front in the war between Iran and Israel (with the U.S. as a key ally) is a stark reminder of the evolving nature of global conflicts in the digital age. As the conflict moves further into the realm of cyber attacks, the line between traditional warfare and cyberwarfare continues to blur, raising concerns about the potential for widespread disruption and the long-term impact on critical infrastructures worldwide.
Join our LinkedIn group Information Security Community!
