JanaWare Ransomware Campaign Targets Turkey Using Modified Adwind RAT Since 2020
A newly uncovered cyber campaign involving JanaWare ransomware is specifically targeting users in Turkey. Researchers have traced this activity to a tailored version of the Adwind Remote Access Trojan (RAT). This analysis was conducted by Acronis’ Threat Research Unit (TRU), which identified the threat cluster during an investigation into suspicious Java-based malware samples.
The JanaWare ransomware operation has reportedly been active since at least 2020. Evidence from malware samples and associated infrastructure indicates that the campaign has persisted into late 2025, suggesting ongoing activity that remains largely undetected.
Technical Mechanics of the Attack
The attack leverages a modified Adwind RAT that incorporates polymorphic capabilities, allowing the malware to alter its structure across different infections. This adaptability complicates detection efforts. Coupled with code obfuscation techniques, these methods have likely contributed to the campaign’s low visibility.
In contrast to larger ransomware groups that typically target high-value enterprises, the JanaWare ransomware adopts a different approach. Observed ransom demands range from $200 to $400, indicating a strategy that prioritizes volume over substantial individual payouts.
Phishing as the Primary Infection Vector
The JanaWare ransomware campaign primarily propagates through phishing emails. Victims are enticed into clicking malicious links that lead to the download of a Java archive file, often hosted on cloud storage platforms.
Telemetry data reviewed by researchers reveals a consistent attack chain. A phishing email is opened in Microsoft Outlook, followed by a browser session that downloads the malicious file. The file is then executed using Java, triggering the infection process.
User reports on public cybersecurity forums corroborate this assessment, further supporting the notion that phishing serves as the main entry point for the malware.
Geofencing: A Targeted Approach
A notable characteristic of the JanaWare ransomware is its use of geofencing. The malware is designed to execute only on systems that meet specific regional criteria linked to Turkey. It checks system language, locale settings, and external IP geolocation before proceeding. If these parameters do not align with Turkish specifications, the malicious activity is halted.
This approach serves both operational and defensive purposes, allowing attackers to concentrate on a specific region while minimizing exposure to global security monitoring and automated analysis systems.
Evasion Techniques: Obfuscation and Polymorphism
The JanaWare ransomware employs multiple techniques to evade detection. Researchers have identified the use of established obfuscation tools such as Stringer and Allatori, in addition to custom methods that complicate analysis.
The malware features a self-modifying component that alters its file structure during deployment. By incorporating random data into its Java archive, each instance generates a unique file hash, thereby limiting the effectiveness of signature-based detection.
Embedded configuration parameters control the malware’s behavior, including command-and-control server details, communication ports, and authentication values used during initial connections.
Disabling Security Controls Before Encryption
Before initiating the encryption of files, the malware attempts to weaken system defenses. It executes commands to disable Microsoft Defender, suppress security alerts, and eliminate recovery mechanisms such as Volume Shadow Copies.
Additionally, it interferes with Windows Update and scans for installed antivirus software. These actions significantly reduce the likelihood of detection or recovery once the ransomware payload is activated.
The encryption process is executed by a secondary module delivered after the initial compromise. This module employs AES encryption and communicates with command-and-control infrastructure over the Tor network.
Ransom Notes Indicating a Targeted Approach
Following the encryption of files, the malware drops ransom notes across affected systems. These notes are written in Turkish and instruct victims to contact the attackers through encrypted communication channels such as qTox or Tor-based websites.
The consistent use of Turkish-language content, combined with geofencing, underscores a deliberate focus on users in Turkey rather than a broader, global campaign.
The JanaWare ransomware campaign exemplifies how targeted, lower-profile operations can persist over extended periods without attracting significant attention. By concentrating on home users and small businesses while maintaining relatively low ransom demands, the attackers appear to sustain a steady but less visible operation.
Researchers caution that such localized campaigns may continue to operate alongside larger ransomware groups, adding another dimension to the evolving threat landscape.
For further details on this ongoing issue, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
