JanaWare Ransomware Attacks Turkish Users via Custom Adwind RAT
Key Takeaways A new ransomware, JanaWare, has been identified targeting individuals and small to medium-sized businesses exclusively within Turkey. The attacks leverage a customized version of the...
Key Takeaways
- A new ransomware, JanaWare, has been identified targeting individuals and small to medium-sized businesses exclusively within Turkey.
- The attacks leverage a customized version of the Adwind Remote Access Trojan (RAT) delivered via phishing emails containing malicious Java Archive (JAR) files.
- JanaWare employs sophisticated evasion techniques, including geofencing, code obfuscation, and polymorphic behavior, making it difficult to detect and analyze outside of Turkey.
- Ransom demands are low ($200-$400 USD), suggesting a high-volume, quick-payment strategy against less-resourced victims.
JanaWare Ransomware: A Targeted Campaign Against Turkish Users
A previously undocumented ransomware strain, dubbed JanaWare, has been actively targeting home users and small to medium-sized businesses (SMBs) in Turkey. This campaign, which has been operational since at least 2020, is notable for its precise geographic focus, modest ransom demands, and advanced evasion tactics that have allowed it to largely avoid detection for years. Researchers at the Acronis Threat Research Unit (TRU) recently uncovered the threat after observing unusual activity patterns involving the Adwind RAT on Turkish systems.
Table Of Content
Infection Chain and Adwind RAT Customization
The attack sequence typically begins with a phishing email that directs victims to a malicious Java Archive (JAR) file hosted on Google Drive. When a user clicks this link, often within an application like Outlook, their browser (e.g., Chrome) downloads the JAR file. This file then executes on the victim’s system via javaw.exe. This seamless transition through trusted applications makes the initial infection appear benign to both the user and basic security tools.
Upon execution, the JAR file deploys a heavily modified version of the Adwind RAT. Adwind, a well-known Java-based remote access tool, has been repurposed and enhanced in this campaign to act as a multi-stage loader for the JanaWare ransomware payload. Acronis TRU researchers, including Jozsef Gegeny and David Catalan Alegre, identified these customized Adwind samples during their analysis. Their telemetry and sandbox investigations revealed that these Adwind variants included unique modules and post-exploitation scripts not observed in any prior versions of the RAT. A sample compiled in November 2025 confirmed that the command-and-control (C2) infrastructure for the campaign remained active at the time of their research.
JanaWare’s Ransomware Operations
JanaWare functions as a ransomware module selectively deployed by the Adwind RAT after the initial system compromise. Once files are encrypted, the malware drops a ransom note in Turkish across multiple directories. These notes are prefixed “ONEMLI NOT,” which translates to “Important Note.”
Analysis of various samples showed ransom demands ranging from $200 to $400 USD. This relatively low amount, when compared to typical enterprise-targeting ransomware operations, suggests a strategy aimed at maximizing payments from individuals and smaller businesses who may lack the technical expertise or resources to recover without paying. The attackers route all C2 traffic through the Tor network during the encryption phase, utilizing anonymized infrastructure to evade tracing. Victims are instructed to communicate with the attackers via qTox, a decentralized peer-to-peer messaging application, or through a dedicated .onion site accessible via the Tor Browser. These communication methods are deliberately chosen to circumvent law enforcement monitoring and conventional takedown efforts.
Advanced Evasion and Geofencing
A key characteristic of JanaWare is its sophisticated approach to evading detection through geofencing and polymorphic behavior. Before initiating any malicious actions, the malware performs checks on the host system’s locale, language settings, and external IP geolocation. It proceeds with the attack only if these indicators align with Turkish language settings and an IP address originating from Turkey (country code “TR”). This geofencing mechanism ensures that the ransomware remains largely invisible to international security researchers and automated sandbox environments, as it simply terminates when executed outside of Turkey.
Beyond geofencing, the malware employs two publicly recognized Java obfuscators, Stringer and Allatori, to significantly complicate reverse engineering. It also includes a class named FilePumper, which appends random content to its own JAR archive during installation. This process inflates the file size and generates a unique MD5 hash for each infected machine, effectively neutralizing simple hash-based detection methods against this polymorphic threat.
Upon successful geofencing, JanaWare executes a series of PowerShell and registry commands to degrade system defenses. These actions include disabling Microsoft Defender, suppressing security alerts, removing Volume Shadow Copy (VSS) backups, disabling Windows Update, and enumerating installed antivirus products to interfere with endpoint protection. The ransomware then downloads and executes its encryption module, which uses AES encryption. The encryption key is immediately transmitted to the C2 server over Tor, making file recovery without this key practically impossible.
What You Should Do
- Disable or Restrict Java: Limit Java Runtime Environment (JRE) execution on endpoints where it is not essential. Block the execution of JAR files from untrusted sources.
- Enhance Email Security: Configure email security gateways to identify and quarantine messages containing Google Drive links, especially those delivered alongside executable file types.
- Monitor Network Traffic: Implement network monitoring to detect outbound connections to known C2 infrastructure, such as
elementsplugin.duckdns.org(IP:151.243.109.115) on ports 49152 and 49153. - Regular Offline Backups: Maintain consistent, verifiable offline backups of critical data to ensure recovery capability in the event of an infection.
- Incident Response: In case of an infection, preserve forensic evidence and report the incident to your national CERT or law enforcement before considering any ransom payment.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.