Researchers have uncovered a targeted ransomware campaign aimed at Turkish users through a customized version of the Adwind remote access trojan, or RAT.
The malware delivers a Turkish-language ransom note and appears to focus on victims in Turkey by checking both language settings and external IP geolocation before launching its final payload.
The investigation began after analysts reviewed several suspicious Java Archive, or JAR, files collected from VirusTotal. One sample stood out during testing because it dropped a ransom note on the infected machine.
The note, written in Turkish, told victims to contact the attackers via privacy-focused platforms such as qTox and, in some cases, a Tor-based onion site.
Obfuscation, Tor, and Encryption
The malware is heavily protected against analysis. Researchers found that the Java sample used known obfuscation tools such as Stringer and Allatori, along with custom class loaders to make reverse engineering harder.
It also includes a class called FilePumper that modifies the malware’s own JAR file by adding random content. This changes the file size and hash on each infected system, making simple hash-based detection less effective.
At startup, the malware loads hard-coded configuration values that determine its behavior. These include the C2 domain, TCP ports, a version number, Tor-related paths, and a shared password.
That password acts as an authentication token during the first contact with the C2 server. It is also used to decrypt downloaded modules.
This design makes the malware flexible, allowing operators to push new features or payloads without rebuilding the whole program. Once the victim passes the Turkey-specific checks, the malware weakens local defenses.
It uses PowerShell and registry changes to disable or reduce Microsoft Defender protections, suppress security alerts, remove shadow copies, interfere with Windows Update, and identify installed antivirus tools.
After that, it downloads the JanaWare ransomware module, which is also written in Java. The ransomware communicates over Tor and can encrypt, delete, or even exfiltrate files.
Analysts say the malware uses AES encryption, with the encryption key sent to the C2 server through Tor. That means victims are unlikely to recover files without access to the attackers’ infrastructure.
After encryption, the malware drops ransom notes into multiple folders. The filenames are partly randomized, but they keep a fixed Turkish phrase: “ONEMLI_NOT,” which translates to “Important Note.”
The note content is embedded directly in the malware code, again reinforcing that Turkish users are the intended targets.
Acronis Researchers say the campaign appears lower-profile than large enterprise ransomware operations.
However, it may have remained active for years because of its narrow focus and modest demands. Even so, JanaWare shows how smaller, localized ransomware groups can quietly operate for long periods while avoiding broad attention.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
