Customized Adwind RAT is being weaponized to deploy a new ransomware family dubbed JanaWare in a geographically focused campaign targeting Turkish users and small organizations via phishing-driven Java malware.
Researchers observed a customized Adwind Java RAT variant whose behavior diverged from other samples during sandbox testing, ultimately dropping a Turkish-language ransom note on infected systems.
The note instructs victims to contact the operators via privacy-focused channels, including qTox, a peer-to-peer encrypted messenger, or the Tor Browser to access a dedicated .onion site, underscoring the actors’ emphasis on anonymity and resilient communication.
Telemetry and victim reports suggest that this operation has been running quietly for some time, but has remained under the radar due to its regional focus and relatively modest ransom demands compared with big‑game ransomware.
Technical Operation: Obfuscation, Geofencing, and Encryption
Under the hood, the Adwind-based loader is heavily hardened against analysis through multiple layers of Java obfuscation, including Stringer and Allatori, and custom class loaders to frustrate straightforward decompilation.
A dedicated FilePumper component adds large amounts of random content into the JAR archive during installation, inflating file size and ensuring that each deployed sample generates a different hash, thereby undermining simple hash-based detection and static signature matching.
Open-source tooling, such as the Java deobfuscator, can assist analysts in peeling back some of these protections. However, the combination of commercial obfuscators and polymorphism still significantly raises the bar for defenders.
The malware’s configuration is embedded in a Java class. It defines its command-and-control infrastructure, including a DuckDNS-based domain and two TCP ports that form the core C2 channel.
Notably, the configuration references Tor-related paths and components, enabling the RAT and its modules to tunnel communications over the Tor network for additional obfuscation and anonymity.
After encryption, the malware drops Turkish ransom notes with partially randomized filenames that always include a fixed _ONEMLI_NOT_ component (“Important Note” in Turkish), indicating that both the language and the naming are deliberately aligned with local victims.
Static analysis shows that the ransomware relies on AES-based file encryption, with keys transmitted back to the C2 infrastructure over Tor, making decryption practically impossible without the attackers’ cooperation.
Current reporting indicates that Acronis EDR/XDR solutions can detect and block this threat cluster. However, the operation remains active, with C2 infrastructure observed online as recently as late 2025.
Given this attack pattern, organizations in Turkey especially small businesses and home users should treat unsolicited emails linking to Google Drive downloads with extreme caution, ensure Java is strictly controlled or removed where unnecessary, and deploy behavior-based detection capable of catching obfuscated Java RATs and staged ransomware modules.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Click Here For The Original Source.
