A newly analyzed ransomware campaign dubbed “JanaWare” is targeting users in Turkey by leveraging a customized version of the Adwind Remote Access Trojan (RAT).
The campaign combines stealthy delivery techniques, geographic restrictions, and polymorphic malware to evade detection while maintaining long-term activity.
Researchers identified that JanaWare is specifically designed to infect systems located in Turkey. The malware enforces strict geofencing controls by checking system language, locale settings, and external IP addresses.
Execution proceeds only if the system matches Turkish regional indicators, significantly reducing exposure to global security analysis.
Telemetry and sample analysis suggest the campaign has been active since at least 2020, with newer samples compiled as recently as November 2025.
Despite its persistence, the operation has remained relatively under the radar due to its localized targeting and use of obfuscation techniques.
The Acronis TRU team identified a threat cluster leveraging a customized Adwind (Java RAT) variant.
Victims primarily include home users and small-to-medium-sized businesses (SMBs). Unlike large ransomware groups that demand high-value payouts, JanaWare operators adopt a high-volume, low-cost strategy, with ransom demands typically ranging between $200 and $400.
Phishing-Based Infection Chain
The attack begins with phishing emails that trick users into clicking malicious links. These links often redirect victims to Google Drive-hosted payloads, leading to the download of a malicious Java archive (JAR) file.
Once executed via Java (javaw.exe), the malware establishes a foothold on the system. Endpoint detection and response (EDR) telemetry reveals a clear execution chain:
- Outlook launches a phishing email.
- Chrome opens a malicious Google Drive link.
- A JAR file is downloaded and executed.
- The Adwind-based payload deploys the ransomware module.
This method aligns with reports from victims on public forums, confirming widespread use of social engineering.
JanaWare uses multiple layers of obfuscation to hinder analysis. Researchers observed the use of publicly available tools like Stringer and Allatori, combined with custom class loaders that complicate reverse engineering.
A key feature is its polymorphic behavior. The malware modifies its own JAR file using a component called “FilePumper,” inserting random data to generate unique file hashes for each infection. This technique effectively bypasses signature-based detection systems.
Additionally, the malware contains hardcoded configuration data, including command-and-control (C2) infrastructure, authentication tokens, and TOR network settings for anonymized communication.
Ransomware Execution and Impact
After confirming the victim is located in Turkey, the malware turns off security defenses using PowerShell commands. These actions include:
- Disabling Microsoft Defender and security notifications.
- Removing Volume Shadow Copies to prevent recovery.
- Disabling Windows Update and ransomware protections.
- Interfering with installed antivirus solutions.
The malware then downloads a Java-based ransomware module that encrypts files across all drives using AES encryption. Communication with the C2 server occurs over the Tor network, making tracking and recovery difficult.
Encrypted systems receive a ransom note written in Turkish, instructing victims to contact attackers via qTox or Tor-based .onion sites.
The note filename includes a Turkish phrase meaning “Important Note,” reinforcing the campaign’s regional focus.
JanaWare demonstrates how smaller, regionally focused ransomware operations can persist undetected for years. Its combination of targeted delivery, geofencing, and modular design allows attackers to operate quietly while maintaining flexibility.
Security experts warn that such campaigns highlight a growing trend: localized ransomware threats that avoid global attention while exploiting specific user groups.
IOCs
| MD5 Hash | Description |
|---|---|
| 4f0444e11633a331eddb0deeec17fd69 | Adwind RAT |
| b2d5bbf7746c2cb87d5505ced8d6c4c6 | Ransomware module (JanaWare) |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
