A new ransomware strain known as JanaWare has been quietly targeting home users and small to medium-sized businesses in Turkey, using a customized version of the well-known Adwind Remote Access Trojan (RAT) as its delivery vehicle.
The campaign is notable for its focused geographic targeting, modest ransom demands, and the use of advanced evasion techniques that allowed it to fly under the radar for years.
The attack begins when a victim receives a phishing email that contains or links to a malicious Java Archive (JAR) file hosted on Google Drive.
When the victim clicks the link through Outlook, Chrome opens the Drive URL and downloads the file, which then executes via javaw.exe on the victim’s system.
This seamless handoff between trusted applications makes the initial infection look routine to both the victim and basic security monitoring tools.
Once the JAR file runs, it loads a customized version of Adwind RAT, a Java-based remote access tool that has been repurposed and heavily modified to serve as a multi-stage loader for the ransomware payload.
Researchers at Acronis Threat Research Unit (TRU) identified this threat cluster after studying a series of Adwind-based intrusions that displayed unusual behavioral patterns on Turkish endpoints.
Their telemetry and sandbox analysis revealed that the Adwind samples in this campaign carried additional modules and post-exploitation scripts that were not seen in any previously documented versions of the RAT.
According to the Acronis TRU report authored by Jozsef Gegeny and David Catalan Alegre, the campaign shows evidence of activity going back to at least 2020, and a sample compiled in November 2025 confirmed that the command-and-control (C2) infrastructure was still live at the time of analysis.
JanaWare operates as a ransomware module that is dropped selectively by the Adwind RAT after the initial compromise.
Once file encryption is complete, the malware drops a ransom note in Turkish-language content across multiple folders, with the filename prefix “ONEMLI NOT,” which translates to “Important Note.”
.webp)
Ransom demands across analyzed samples range from $200 to $400 USD, which is unusually low compared to enterprise-targeting ransomware groups.
This low-value, high-volume model appears designed to encourage quick payment from individuals and small businesses who may lack the resources or expertise to recover on their own.
The malware communicates exclusively through the Tor network during the encryption phase, routing all C2 traffic through anonymized infrastructure that is extremely difficult to trace.
Victims are instructed to contact the attackers using either qTox, a decentralized peer-to-peer messaging application, or through a dedicated .onion site accessed via the Tor Browser.
These communication channels are deliberately chosen to sidestep law enforcement monitoring and conventional takedown efforts.
Inside the Infection: Geofencing and Evasion Mechanics
One of the most technically interesting aspects of JanaWare is its layered approach to avoiding detection through geofencing and self-modification.
.webp)
Before executing any malicious activity, the malware checks the system locale, language settings, and the external IP geolocation of the host machine.
Only if the environment matches Turkish language settings and the IP address returns a country code beginning with “TR” does the malware proceed.
This means the ransomware is effectively invisible to most international security researchers and automated sandbox environments, since it simply terminates when running outside Turkey.
Beyond geofencing, the malware employs two publicly known Java obfuscators, Stringer and Allatori, to make its code significantly harder to reverse-engineer.
It also contains a class named FilePumper that adds random content to its own JAR archive during installation, inflating the file size and producing a unique MD5 hash on every infected machine.
.webp)
This polymorphic behavior renders simple hash-based detection essentially useless against this threat.
Once the geofencing checks pass, the malware executes a series of PowerShell and registry commands designed to weaken the system’s defenses before encryption begins.
These steps include disabling Microsoft Defender, suppressing security alerts, removing Volume Shadow Copy (VSS) backups, disabling Windows Update, and enumerating installed antivirus products to interfere with endpoint protection integrations.
The ransomware then downloads and runs its encryption module, which uses AES encryption and transmits the key directly to the C2 server over Tor, making file recovery without that key virtually impossible.
To reduce the risk of JanaWare infection, users and organizations should disable or restrict Java Runtime Environment (JRE) execution on endpoints where it is not needed, and block the execution of JAR files from untrusted sources.
Email security gateways should be configured to flag or quarantine messages containing Google Drive links delivered alongside executable file types.
Network monitoring should be set up to detect outbound connections to known C2 infrastructure such as elementsplugin.duckdns.org (IP: 151.243.109.115) on ports 49152 and 49153.
Regular offline backups remain the most reliable safeguard, and in the event of an infection, victims are advised to preserve forensic evidence and report incidents to the relevant national CERT or law enforcement before considering any payment.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
